[squid-users] peek and splice content inspection question

Amos Jeffries squid3 at treenet.co.nz
Thu Aug 13 15:38:47 UTC 2015


On 14/08/2015 12:47 a.m., Marko Cupańá wrote:
> Hi,
> 
> a few years ago I had a working setup of squid + dansguardian which was
> giving me ability to inspect traffic and filter it according to various
> criteria, mainly extensions, mime types and presence of malicious code
> (clamav).
> 
> Lately most of the web moved to https, and dansguardian isn't maintained
> for almost three years, which made my setup obsolete.
> 
> Is it possible - by means of squid's peek and splice feature - to
> inspect file extensions and mime types of https traffic? Can bumped
> https traffic be forwarded to icap (squidclamav) for AV scanning?

Doing so is the features intended purpose.

> And
> finally, would overly curious and unethical admin be able to easily dump
> bumped data and find sensitive information there?

When correctly used TLS cannot be decrypted.

BUt, most use of HTTPS today is not using TLS correctly.

If it could be bumped at all then it could be dumped as easily as
inspected by an AV.

Like a sharp knife can be as easily used for cutting vegetables as
throats. Ones intent has nothing to do with the tools capability or lack.

Amos



More information about the squid-users mailing list