[squid-users] question about squid and https connection .

Alex Rousskov rousskov at measurement-factory.com
Thu Jul 12 20:27:00 UTC 2018


On 07/12/2018 01:17 PM, --Ahmad-- wrote:

> if i have pc# 1 and that pc open facebook .
> 
> then i have other pc # 2 and that other pc open facebook .
> 
> 
> now  as we know facebook is https .
> 
> so is the key/ cert that used on pc # 1 is same as cert in pc # 2 to decrypt the fb encrypted traffic ?

Certificates themselves are not used (directly) to decrypt traffic
AFAIK, but yes, both PCs will see the same server certificate (ignoring
CDNs and other complications).



> now in the presence of squid .
> 
> if i used tcp connect method  , will it be different than above ?

If you are not bumping the connection, then both PCs will see the same
real Facebook certificate as if those PCs did not use a proxy.

If you are bumping the connection, then both PCs will see the same fake
certificate generated by Squid.



> say i used 200 proxies in same squid machine and i used to access FB from the same pc same browser .
> 
> will facebook see my cert/key i used to decrypt its traffic ?

If you are asking whether Facebook will know anything about the fake
certificate generated by Squid for clients, then the answer is "no,
unless Facebook runs some special client code to deliver (Squid)
certificate back to Facebook".

In general, the origin server assumes that the client is talking to it
directly. Clients may pin or otherwise restrict certificates that they
trust, but after the connection is successfully established, the server
may assume that it is talking to the client directly. A paranoid server
may deliver special code to double check that assumption, but there are
other, more standard methods to prevent bumping such as certificate
pinning and certificate transparency cervices.



> is the key/cert of FB to decrypt the https content is same on all browsers on all computers ?

If you are asking whether the generated certificates are going to be the
same for all clients, then the answer is "yes, provided all those 200
Squids use the same configuration (including the CA certificate) and
receive the same real certificate from Facebook". Squid's certificate
generation algorithm generates the same certificate given the same
configuration and the same origin server certificate.


HTH,

Alex.


More information about the squid-users mailing list