[squid-users] Would it be possible to run a http to https gateway using squid?

Amos Jeffries squid3 at treenet.co.nz
Mon May 16 08:21:30 UTC 2016


On 16/05/2016 12:53 p.m., Eliezer Croitoru wrote:
> Hey Amos,
> 
> You are right that it seems like there is no point since you already
> decrypt the connection.
> But in the real world the price of maintaining an encrypted session for
> many users for a long period is not the same as maintaining them for
> short burst.

Yes, the short connections have higher cost on almost all metrics.

The maintenance cost of either TCP or TLS connectison is a fixed
per-packet cost in both memory holding connection state and CPU cycles
handling the packet. The number of handshakes and open/close cycles adds
a burst of extra cost.


> 
> Since all YouTube traffic is done on HTTPS it would be pretty simple
> with these days tools to use some kind of a "https to http bridge"
> software that would
> fetch the pages for the clients(most of the pages are tiny) and it will
> help the clients to be able to handle less secured traffic.
> 

YT is secured as an attempt to protect privacy. You are ignoring the
most annoying part of the privacy equation.

For any piece of privacy critical information A, there is another piece
of metadata information B = uses(A) which can be correlated and thus
needs to be treated as equivalent in privacy to A itself.
 And of course that makes the start of a slippery slope in the
definition of privacy: B is private so it has its own C = uses(B), etc, etc.

So for example; given a YouTube video of some baby saying their first word:
 * That video as private,
 * meaning where its stored is private,
 * meaning who accessed that URL is private,
 * meaning pages containing the URL is private,
 * meaning who accesses YT pages is private,
 * meaning who tries to contact YT is private,
 * ... and is gets more paranoid from there.

There is a similar chain from other details about the video; the timing
of the video creation, who posted it, what type it is, how long it is,
file size, etc. It is all metadata and enough of that can be correlated.

In a world like ours where mass surveillance exists if those minor
details are not all 100% secured then privacy is lost.

<https://www.youtube.com/watch?v=7G1LjQSYM5Q>


> I know that with these days hardware it's almost not needed but inside a
> trusted network there is no point for using end to end HTTPS.(to my
> understanding)
> Some will might not believe that there are trusted networks in the wild
> but I know that these do exist and in many of these such a GW is required.

The Internet is not qualifying as a trusted network.

If you are talking about inbound connections from Internet / WAN into a
trusted network. That is the definition of a CDN / reverse-proxy and
"https_port 443 accel" has been doing that securely and very well since
Squid-2.6.


Amos



More information about the squid-users mailing list