[squid-users] About SSL peek-n-splice/bump configurations

Alex Rousskov rousskov at measurement-factory.com
Mon Aug 13 05:00:41 UTC 2018 

On 08/12/2018 06:57 PM, Julian Perconti wrote:
>> De: Alex Rousskov <rousskov at measurement-factory.com>
>> Enviado el: domingo, 12 de agosto de 2018 20:50
>> Para: Julian Perconti <vh1988 at yahoo.com.ar>; squid-users at lists.squid-cache.org
>> Asunto: Re: [squid-users] About SSL peek-n-splice/bump configurations
>>
>> On 08/12/2018 04:09 PM, Julian Perconti wrote:
>>> I would like to know which of these two cfg's are "better" or "more secure"
>>> when a site/domain is spliced, bumped, etc.

>> It is impossible to answer that question without knowing how _you_ define
>> "better" or "more secure".


> I tried to meant, "security" from the client-side accessing to a
> non-bumped or spliced site, i.g.: bank website... client-side
> "privacy" or an a -real- man-in-the-middle attack due to squid in the
> middle.

A splicing Squid does not perform a man-in-the-middle attack on TLS or
HTTP traffic. It essentially acts as a TCP/IP-level proxy and can log
TLS handshake details. In some environments, doing all that improves
"privacy" and "security". In others, it makes things worse (for some
definition of "privacy" and "security").

A bumping Squid performs a man-in-the-middle attack on TLS traffic.
After a successful attack, it essentially acts as an HTTP-level proxy
and can log or even alter TLS and HTTP traffic. In some environments,
doing all that improves "privacy" and "security" (for some definition of
"privacy" and "security"). In others, it makes things worse.

You would have to ask a much more specific question to get a more
specific (but still correct) answer.


> Is well-known that there is no system /network/o.s. 100% secure but,
> I dont know why, I always thought or stil think that with a https
> proxy/filtering, the security or "the things" tooggles more risky if
> this one did not exist. Even squid 100% correctly configured and
> server well secured.

There are examples where deploying a splicing or even bumping Squid
improves security of the humans and/or machines that are trusting Squid
to examine and/or police their traffic. There are counter-examples as
well. And I am sure that many installations can be viewed as both,
depending on who gets to define "privacy", "security", and the "right
balance" between the two.


> What does squid when I dont specify the step?

Bugs notwithstanding, Squid should either

* bump if you were staring during the previous (explicitly configured)
step or

* splice otherwise (including cases when no previous step was explicitly
configured or existed).

I would not rely on this (correct) behavior without testing (at least)
your Squid version (at least). I know that early SslBump implementations
had bugs in that area.


> For example:
> 
> What does squid do with..:
> ssl_bump splice step3 noBumpSites

Assuming there are no other rules, Squid should splice at step1 (see the
"splice otherwise" rule above).


> ...And what it do instead with this?:
> ssl_bump splice noBumpSites

Assuming there are no other rules, Squid should splice at step1. It will
do that when noBumpSites matches (naturally) and if noBumpSites does not
match (per the "splice otherwise" rule above).


> So, Would You prefer option 2?

Sorry, I cannot answer this question -- too many unknown variables. It
is like asking a doctor whether she prefers to treat the patient with
drug A or drug B when the doctor does not know what the patient is
suffering from and what the patient's treatment preferences/goals are.


>>> with Option 1 I don't see the domain in "TUNNEL" line, just the IP
>>> addr.)

>> I doubt that is how it is supposed to work. When splicing, Option 1 should
>> have the same or more information so it should log the domain name if
>> Option 2 has the domain name. If you are comparing log lines for identical
>> transactions, then this could be a Squid bug.

> I dont know, I just tell what happen in the access.log when I
> switching between these ssl_bump configs.

Yes, and I am just describing what should be happening (IMO). If what is
actually happening bothers you, and it does not match what should be
happening, and nobody comes up with a better explanation, then consider
filing a bug report and working with developers to address the problem.


HTH,

Alex.

More information about the squid-users mailing list