[squid-dev] request for change handling hostStrictVerify
Amos Jeffries
squid3 at treenet.co.nz
Mon Nov 1 12:01:40 UTC 2021
On 1/11/21 20:59, kk wrote:
>
> On Saturday, October 30, 2021 01:14 GMT, Alex Rousskov wrote:
>> On 10/29/21 8:37 PM, Amos Jeffries wrote:
>> > On 30/10/21 11:09, Alex Rousskov wrote:
>> >> On 10/26/21 5:46 PM, kk wrote:
>> >>
>> >>> - Squid enforces the Client to use SNI
>> >>> - Squid lookup IP for SNI (DNS resolution).
>> >>> - Squid forces the client to go to the resolved IP
>> >>
> >then malicious applets will escape browser IP-based protections.
> Browser should perform IP-based protection on browser(client) level and
> should therefor not traverse squid.
Your suggestion of making Squid "forces the client to go to the resolved
IP" bypasses any protections the Browser might do.
This would make the CVE-2009-0801 situation happen all over again. Just
with SNI as the bypass method instead of Host header.
Amos
More information about the squid-dev
mailing list