[squid-users] More host header forgery pain with peek/splice

Marcus Kool marcus.kool at urlfilterdb.com
Sun Sep 4 23:35:59 UTC 2016


Thanks for your reply.

The 13-year old child in me says "I want it fixed yesterday"
since false positives are very painful and cannot always
be prevented since the environment where Squid works is
not always that easy to control.

You mentioned earlier that a fix will probably go in squid 5
which is long due and there is no workaround.  A second
thought is to have an acl that determines for which domains
the check must be skipped, but this is not optimal since
the admin gains an extra job.

My vote goes to re-prioritizing the fix and put it in Squid 4.
Of course I have no idea about the implications.

Thanks
Marcus


On 09/04/2016 01:12 PM, Amos Jeffries wrote:
> On 31/08/2016 5:25 a.m., Marcus Kool wrote:
>> Do I understand it correctly that Squid in normal proxy mode
>> allows malware to do a CONNECT to any destination, while in
>> transparent proxy mode does extra security checks which causes
>> some regular (non-malware) clients to fail?
>
>
> Intercepted traffic has different processing applied, different
> assumptions made about the traffic, and different security model
> relevant to its messages.
>
> The short answer is "yes", but reality is not that simple black/white.
>
>
>>
>> And philosophical questions: is Squid the right tool
>> to stop malware?  If yes, is it acceptable that connections
>> of regular (non-malware) clients are wrongly dropped?
>
> No more or less than any software.
>
> Squid manages the HTTP that flows through it. If the malware uses HTTP
> messages to communicate then it very much part of Squid's job to prevent
> that. Other protocols Squid is not responsible for, except to prevent
> itself being a vector of attack.
>
>>
>> IMO Squid should do all it can to be a secure proxy.
>
> Which is the case for Host forgery atacks. If Squid did not MITM the
> network traffic, there would not be a vulnerability to Host forgery
> issues. Therefore an intercept/tproxy Squid is very much responsible for
> preventing this particular type of attack which it causes to exist.
>
> A forward-proxy or reverse-proxy does not have that vulnerability,
> therefore does not need to check the same things.
>
>
>> Doing security checks on connections in an attempt
>> to stop malware sounds like a job for an antivirus / IDS tool.
>>
>
> Additional to what Squid does. Indeed many of those tools use a proxy
> service which performs the same or similar checks to what Squid does,
> with far more intrusive behaviour, or are themselves also vulnerable to
> becoming vectors of the Host attack(s). The Host attack(s) are
> vulnerability built into the concept of MITM'ing HTTP(S) traffic. It is
> not something specific to Squid.
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>


More information about the squid-users mailing list