[squid-users] transparent proxy https and self signed certificate error

[Jason Haar]

On 05/10/14 18:44, Amos Jeffries wrote:
> PS. Google with Chrome appear these days to be the champions of
> unbreakable TLS, their software is continually being updated to
> use/invent new TLS features that close loopholes in TLS design which
> allow ssl-bump to take place. What worked last month has no guarantee
> of working today, same again next month.
That can't be right? I mean, sslbump doesn't rely on any "bugs" - it is
simply a CA and so any browser that thinks it's a CA should be happy
going to any https website using appropriate certs signed by that CA?

I know Chrome has *cert pinning* (ie they hardwired the CAs that Google
knows *.google.com uses into  Chrome), but that isn't a "loophole".

sslbump seems to work as well as can be expected. But pinning also
appears to be growing in stature (Firefox now does it too), so there are
less and less sites that sslbump can work on. I wanted to use sslbump so
that we could run AV and filtering on https links, but pinning means our
"exclude list" of https sites is getting larger and larger - and
includes Cloud providers the badguys are housing their malware on -
which means our AV still can't catch it  :-(


-- 
Cheers

Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1