[squid-users] peek and splice content inspection question

Marko Cupać marko.cupac at mimar.rs
Thu Aug 13 20:02:43 UTC 2015

On Fri, 14 Aug 2015 03:38:47 +1200
Amos Jeffries <squid3 at treenet.co.nz> wrote:

> On 14/08/2015 12:47 a.m., Marko Cupać wrote:
> > Hi,
> > 
> > a few years ago I had a working setup of squid + dansguardian which
> > was giving me ability to inspect traffic and filter it according to
> > various criteria, mainly extensions, mime types and presence of
> > malicious code (clamav).
> > 
> > Lately most of the web moved to https, and dansguardian isn't
> > maintained for almost three years, which made my setup obsolete.
> > 
> > Is it possible - by means of squid's peek and splice feature - to
> > inspect file extensions and mime types of https traffic? Can bumped
> > https traffic be forwarded to icap (squidclamav) for AV scanning?
> Doing so is the features intended purpose.
> > And
> > finally, would overly curious and unethical admin be able to easily
> > dump bumped data and find sensitive information there?
> When correctly used TLS cannot be decrypted.
> BUt, most use of HTTPS today is not using TLS correctly.
> If it could be bumped at all then it could be dumped as easily as
> inspected by an AV.
> Like a sharp knife can be as easily used for cutting vegetables as
> throats. Ones intent has nothing to do with the tools capability or
> lack.

I completely agree with you, I shouldn't have mixed intent with
capability which is great and which I intend to put to good use.

So, if I understand well, if I just send traffic to squidclamav on icap
tcp port, then I don't store usernames and passwords or private emails
in cache?

This is important to me in order to explain the complete mechanism to
management and to create understandable policy for end users.
Marko Cupać

More information about the squid-users mailing list