[squid-users] question about squid and https connection .

login mogin loginmogin at gmail.com
Thu Jul 12 22:56:41 UTC 2018 

Hi Ahmad,

Proxy will just change your ip when you are connecting FB in this way, But
FB probably has or at least should, so many other ways to detect if thats
the same person connecting, just to name one browser based profiling. They
have your user_agent, browser extensions, cookies, etc..
In other words you will have so many other footprints.

Best
Logan

--Ahmad-- <ahmed.zaeem at netstream.ps>, 12 Tem 2018 Per, 15:15 tarihinde şunu
yazdı:

> TAHNK YOU Guys ALL .
>
>
> so my question is in another way is :
>
>
> if i have squid proxy using it using the TCP_Connect way .
>
> and from the same pc and same browser and try to open facebook from 200
> different address .
>
> then facebook wont have a footprint that there is 200 different addresses
> hit FB from the same public key /cert .
>
> i just ant to make sure there is no footprint happen .
>
> thats way i asked .
>
> let me know concerns Guys , thanks alot Guys !
>
> > On 12 Jul 2018, at 23:35, Eliezer Croitoru <eliezer at ngtech.co.il> wrote:
> >
> > Alex,
> >
> > Just to be sure:
> > Every RSA key and certificate pair regardless to the origin server and
> the SSL-BUMP enabled proxy can be different.
> > If the key would be the exact same one then we will probably have a very
> big security issue/risk to my understanding (leaving aside DH).
> >
> > Will it be more accurate to say that just as long as these 200 squid
> instances(different squid.conf and couple other local variables)
> > use the same exact ssl_db cache directory  then it's probable that they
> will use the same certificate.
> > Or these 200 squid instances are in SMP mode with 200 workers...
> > If these 200 instances do not share memory and certificate cache then
> there is a possibility that the same site from two different sources
> > will serve different certificates(due to the different RSA key which is
> different).
> >
> > Thanks,
> > Eliezer
> >
> > ----
> > Eliezer Croitoru
> > Linux System Administrator
> > Mobile: +972-5-28704261
> > Email: eliezer at ngtech.co.il
> >
> >
> >
> > -----Original Message-----
> > From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On
> Behalf Of Alex Rousskov
> > Sent: Thursday, July 12, 2018 11:27 PM
> > To: --Ahmad-- <ahmed.zaeem at netstream.ps>; Squid Users <
> squid-users at lists.squid-cache.org>
> > Subject: Re: [squid-users] question about squid and https connection .
> >
> > On 07/12/2018 01:17 PM, --Ahmad-- wrote:
> >
> >> if i have pc# 1 and that pc open facebook .
> >>
> >> then i have other pc # 2 and that other pc open facebook .
> >>
> >>
> >> now  as we know facebook is https .
> >>
> >> so is the key/ cert that used on pc # 1 is same as cert in pc # 2 to
> decrypt the fb encrypted traffic ?
> >
> > Certificates themselves are not used (directly) to decrypt traffic
> > AFAIK, but yes, both PCs will see the same server certificate (ignoring
> > CDNs and other complications).
> >
> >
> >
> >> now in the presence of squid .
> >>
> >> if i used tcp connect method  , will it be different than above ?
> >
> > If you are not bumping the connection, then both PCs will see the same
> > real Facebook certificate as if those PCs did not use a proxy.
> >
> > If you are bumping the connection, then both PCs will see the same fake
> > certificate generated by Squid.
> >
> >
> >
> >> say i used 200 proxies in same squid machine and i used to access FB
> from the same pc same browser .
> >>
> >> will facebook see my cert/key i used to decrypt its traffic ?
> >
> > If you are asking whether Facebook will know anything about the fake
> > certificate generated by Squid for clients, then the answer is "no,
> > unless Facebook runs some special client code to deliver (Squid)
> > certificate back to Facebook".
> >
> > In general, the origin server assumes that the client is talking to it
> > directly. Clients may pin or otherwise restrict certificates that they
> > trust, but after the connection is successfully established, the server
> > may assume that it is talking to the client directly. A paranoid server
> > may deliver special code to double check that assumption, but there are
> > other, more standard methods to prevent bumping such as certificate
> > pinning and certificate transparency cervices.
> >
> >
> >
> >> is the key/cert of FB to decrypt the https content is same on all
> browsers on all computers ?
> >
> > If you are asking whether the generated certificates are going to be the
> > same for all clients, then the answer is "yes, provided all those 200
> > Squids use the same configuration (including the CA certificate) and
> > receive the same real certificate from Facebook". Squid's certificate
> > generation algorithm generates the same certificate given the same
> > configuration and the same origin server certificate.
> >
> >
> > HTH,
> >
> > Alex.
> > _______________________________________________
> > squid-users mailing list
> > squid-users at lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users
> >
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20180712/adfc39eb/attachment.html>

More information about the squid-users mailing list