[squid-users] Certificate transparency: problem for ssl-bumping, no effect, or?

MK2018 mohammed.khallaf at gmail.com
Fri Apr 13 20:41:03 UTC 2018


Hello :)



Alex Rousskov wrote
> Believe it or not, there are still many Squid use cases where bumping is
> unnecessary. This includes, but is not limited to, HTTPS proxying cases
> with peek/splice/terminate rules and environments where Squid possesses
> the certificate issued by CAs trusted by clients. There are also IETF
> attempts to standardize transmission of encrypted but proxy-cachable
> content.
> 
> I agree that Squid user base will shrink if nobody can bump 3rd party
> traffic, but that reduction alone will not kill Squid.
> 
> Alex.

I would definitely disagree. Rich countries citizens always forget the fact
that high quality corporate leased lines and dedicated bandwidth *do* cost
so much that letting users *hide* their unwanted traffic behind the *4th
amendment* HTTPS is unaffordable.


Naturally, HTTPS standards were designed to hide traffic. I don't mind users
hiding traffic content, let users burn in hell with it, let them rejoice
with Dante!

What I do mind is hiding full URLs and/or MIME types. Give me any low cost
solution that would reliably expose those and hide anything else you want.
Otherwise, it is useless to start a business first place!

I mean, even with appliances like those from Sophos or others that claim to
have full control over traffic, it still remains an ugly guess work combined
with an admin nightmare who then must block each and every category of
unwanted traffic!

Unless the protocol design changes to expose full URLs and/or MIME types,
nothing will replace Squid Bumping.

That being said, we are headed to the vortex by 2018.05.01. Let's drown
together, while we yell and curse at Google!

MK



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html


More information about the squid-users mailing list