[squid-users] More host header forgery pain with peek/splice

[Amos Jeffries]

On 31/08/2016 5:25 a.m., Marcus Kool wrote:
> Do I understand it correctly that Squid in normal proxy mode
> allows malware to do a CONNECT to any destination, while in
> transparent proxy mode does extra security checks which causes
> some regular (non-malware) clients to fail?


Intercepted traffic has different processing applied, different
assumptions made about the traffic, and different security model
relevant to its messages.

The short answer is "yes", but reality is not that simple black/white.


> 
> And philosophical questions: is Squid the right tool
> to stop malware?  If yes, is it acceptable that connections
> of regular (non-malware) clients are wrongly dropped?

No more or less than any software.

Squid manages the HTTP that flows through it. If the malware uses HTTP
messages to communicate then it very much part of Squid's job to prevent
that. Other protocols Squid is not responsible for, except to prevent
itself being a vector of attack.

> 
> IMO Squid should do all it can to be a secure proxy.

Which is the case for Host forgery atacks. If Squid did not MITM the
network traffic, there would not be a vulnerability to Host forgery
issues. Therefore an intercept/tproxy Squid is very much responsible for
preventing this particular type of attack which it causes to exist.

A forward-proxy or reverse-proxy does not have that vulnerability,
therefore does not need to check the same things.


> Doing security checks on connections in an attempt
> to stop malware sounds like a job for an antivirus / IDS tool.
> 

Additional to what Squid does. Indeed many of those tools use a proxy
service which performs the same or similar checks to what Squid does,
with far more intrusive behaviour, or are themselves also vulnerable to
becoming vectors of the Host attack(s). The Host attack(s) are
vulnerability built into the concept of MITM'ing HTTP(S) traffic. It is
not something specific to Squid.

Amos