[squid-users] transparent proxy https and self signed certificate error
Amos Jeffries
squid3 at treenet.co.nz
Sun Oct 5 10:22:15 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 5/10/2014 7:30 p.m., Jason Haar wrote:
> On 05/10/14 18:44, Amos Jeffries wrote:
>> PS. Google with Chrome appear these days to be the champions of
>> unbreakable TLS, their software is continually being updated to
>> use/invent new TLS features that close loopholes in TLS design
>> which allow ssl-bump to take place. What worked last month has no
>> guarantee of working today, same again next month.
> That can't be right? I mean, sslbump doesn't rely on any "bugs" -
> it is simply a CA and so any browser that thinks it's a CA should
> be happy going to any https website using appropriate certs signed
> by that CA?
The CA system itself is the design flaw. No I would not go so far as
to say "bug" (thats code) but "loophole" and "flaw" are more
appropriate for a system design problem.
The intention and design of TLS/SSL is to prevent third-party
intermediaries (is Squid) inntercepting communications (is ssl-bump)
and looking at what the traffic inside is. Anything that lets a third
party access is by definintion a flaw in the TLS protocol design.
>
> I know Chrome has *cert pinning* (ie they hardwired the CAs that
> Google knows *.google.com uses into Chrome), but that isn't a
> "loophole".
>
Yes, cert pinning, HSTS, hard coded google.com CA certificates ...
whatever they can think of next.
> sslbump seems to work as well as can be expected. But pinning also
> appears to be growing in stature (Firefox now does it too), so
> there are less and less sites that sslbump can work on. I wanted to
> use sslbump so that we could run AV and filtering on https links,
> but pinning means our "exclude list" of https sites is getting
> larger and larger - and includes Cloud providers the badguys are
> housing their malware on - which means our AV still can't catch it
> :-(
>
MSIE 11 seems to be growing in popularity for some reason ;-)
Amos
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
iQEcBAEBAgAGBQJUMRvXAAoJELJo5wb/XPRjJIYIAJHx4z+EVNklXjSIqdmOuqeu
6ZHajLCDm/yGt6+JyLvJARNkVtfL2buiw4PbgLqJ+mHWpTFiU0Jvat3JX1vVPmMx
IgpgmMVTV185Rv12V3CrFFVNAfAgqVjgCgP5tYiJ6idAzOpLUaWfEHNzMtrCmg+s
/yNr9may7zbi8HxUw22Egjj565Dfp0eB3zGGGNiUunrQ9CkI/hBHtWAoMTKk6oFE
I923uzi6Kmmuidmw+9WFM38VsKHslspu3/celZT7uVj2QrqDYzrh7Li5dLbL42W3
/WcJu90PJngUkY9E2RFcJoq7cppFR6stnO9sytuSS1lhOCY4MRTUCrYrCy1y2YU=
=d/33
-----END PGP SIGNATURE-----
More information about the squid-users
mailing list