[squid-users] Would it be possible to run a http to https gateway using squid?

Eliezer Croitoru eliezer at ngtech.co.il
Tue May 10 21:25:05 UTC 2016

I was wondering to myself, If I can generate certificates and bump the
connection, I can use a 302\308 to redirect all traffic from https to a
http(intercepatble) connection.

Then on the http interceptor rewrite the request into https.

I have a working setup which uses a redirection "attack" to authenticate
users over http+https.

Now the issue is that if all browsers will deny a redirection from https to
http(a downgrading attack) then the http world would look a bit weird.

I was thinking about such a downgrade attack on couple sites but I am unsure
how good it will be.

I have seen couple years ago that some ISPs used a redirection attack when
youtube used plain http, this was in order to allow a "pre-fetch" of a tiny
GET request.

Now since many others up-graded their security it's another story.


And as an addition I have seen that Microsoft use and "FTP" like transfer
protocol in their software.

They have a "secured" control channel which has certificates pinning or
something else as a safe guard,
and in more then one case they use another channel to fetch the request over
plain HTTP( when a proxy is defined).


Would it be reasonable to write and publish such a tool? Or is it a security
risk to publish such a tool to the public?





Eliezer Croitoru <http://ngtech.co.il/lmgtfy/> 
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer at ngtech.co.il


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160511/a36b3008/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 11308 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160511/a36b3008/attachment.png>

More information about the squid-users mailing list