[squid-users] peek and splice content inspection question
Yuri Voinov
yvoinov at gmail.com
Thu Aug 13 20:54:21 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
14.08.15 2:02, Marko Cupać пишет:
> On Fri, 14 Aug 2015 03:38:47 +1200
> Amos Jeffries <squid3 at treenet.co.nz> wrote:
>
>> On 14/08/2015 12:47 a.m., Marko Cupać wrote:
>>> Hi,
>>>
>>> a few years ago I had a working setup of squid + dansguardian which
>>> was giving me ability to inspect traffic and filter it according to
>>> various criteria, mainly extensions, mime types and presence of
>>> malicious code (clamav).
>>>
>>> Lately most of the web moved to https, and dansguardian isn't
>>> maintained for almost three years, which made my setup obsolete.
>>>
>>> Is it possible - by means of squid's peek and splice feature - to
>>> inspect file extensions and mime types of https traffic? Can bumped
>>> https traffic be forwarded to icap (squidclamav) for AV scanning?
>>
>> Doing so is the features intended purpose.
>>
>>> And
>>> finally, would overly curious and unethical admin be able to easily
>>> dump bumped data and find sensitive information there?
>>
>> When correctly used TLS cannot be decrypted.
>>
>> BUt, most use of HTTPS today is not using TLS correctly.
>>
>> If it could be bumped at all then it could be dumped as easily as
>> inspected by an AV.
>>
>> Like a sharp knife can be as easily used for cutting vegetables as
>> throats. Ones intent has nothing to do with the tools capability or
>> lack.
>
> I completely agree with you, I shouldn't have mixed intent with
> capability which is great and which I intend to put to good use.
>
> So, if I understand well, if I just send traffic to squidclamav on icap
> tcp port, then I don't store usernames and passwords or private emails
> in cache?
I would not worry about it. No physical access to the cache such data
does not pull out with proper administration. Unless, of course, do not
put a proxy in a phone booth on the street. If it starts to bother me -
I either start using encrypted file system, or build a completely black
box - completely disable logging of user access.
>
>
> This is important to me in order to explain the complete mechanism to
> management and to create understandable policy for end users.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJVzQP8AAoJENNXIZxhPexGNDUIAMhXUmakjPIpSBlEcb2CsEZN
gS3b6iTLKo2YnBqr2NU1TV9/fqrDZIqd/lszlIta5phYmkiKcRGLP4bR87+SW7ze
dBGeAZeDehXWv4Ga7/YlmAB6LpWRC3Yd0lm3WTiZ/AnowcaxOHx/Q/H7DhDiIFEN
HRDjRGoTcoIkNP+BC76AnrF+8MErz0cPMXLBqVCXNR+ijNCP9LBza1Y5h88QqX7U
cpRaj88LsW7pQeNHNMDtO7PneNKzho/YUO+M0BTtHXw4Mdwdqt1MBViXhTTh/GP9
C5A1DDLvr384YmoG0eReEt/KVIBliTV80htmn6lYT5dJiX2Fu+TAOEjohz+nkcc=
=T28k
-----END PGP SIGNATURE-----
More information about the squid-users
mailing list