[squid-users] Optimezed???

Amos Jeffries squid3 at treenet.co.nz
Thu Sep 24 20:13:07 UTC 2015


On 25/09/2015 7:13 a.m., Yuri Voinov wrote:
> 
> First. This is potentially dangerous. Can you guarantee your proxy never
> has physical/network access by intruders? HTTPS can contain sensitive
> data. You really sure you want problems with users? AS a minimum you
> need protect your proxy at level B2 (by Orange Book).

No more so than regular HTTP. Particularly now that "TLS everywhere" is
getting popular amongst the big providers HTTPS sensitivity is being
diluted.

HTTPS messages have the same Cache-Control requirements as unencrypted
HTTP. Squid obeys them just the same too.

What you do have to watch out for is protocol abuse in squid.conf like
refresh_pattern overrides and ignores. Those are what causes dangerous
trouble, and they do the same with plain HTTP. Proxy admin doing things
like that and breaking HTTP is part of whats making HTTPS popular to
begin with.


> 
> Second. Yes, it dangerous, but possible with SSL Bump. With very
> agressive cache parameters and with conjunction previous sentence. So,
> this is dangerous for many sites - for it's functionality and security,
> in general.
> 

Problems with SSL-Bump are more legal related than technical.


> You still sure you want to do this?
> 


Amos


More information about the squid-users mailing list