[squid-users] Squid 3 SSL bump: Google drive application could not connect
Marcus Kool
marcus.kool at urlfilterdb.com
Mon Jan 5 14:10:04 UTC 2015
On 01/05/2015 11:11 AM, Yuri Voinov wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> And also:
>
> don't forget about bogus homebrew internet-bankings. Which is uses bogus SSL-certs with bogus GOST realisations. And bogus Java-based clients. All of them also uses 443 port. And often HTTPS with
> homebrew bogus features.
>
> We don't know, how to bump it.
>
> What about it? Pass-through? Pass-through.
>
> This is clean exclusion.
>
> So don't worry about SSH/Tor. To block them we will be use another solutions. DPI. And not always technical. Revoke administrative rights from clients is basics of security, like physical access to
> infrastructure. If they can't install Tor/SSH - why we can worry about this traffic?
>
> We have (and can solve) two simple problems. HTTP over 443 port. And SSL Pinning. That's all, folks.
It is clear what *you* want.
You prefer Squid + HTTP filter + Cisco/DPI + tcputils + sniffer + manual maintenance of ACLs/exclude list
> 05.01.2015 17:51, Marcus Kool пишет:
>> Much of the discussion so far has been about bumping traffic on port 443,
> > bumping SSL-encapsulated HTTP traffic and not bumping (allowing)
> > other traffic. Since port 443 is used for many protocols, it is in many
> > cases dangerous to allow non-bumpable traffic: SSH tunnels using port 443
> > are common, so are VPNs. Do you know a security officer who does not want
> > to block an SSH tunnel, or an app that can share corporate documents
> > on public websites? If there is not more attention to these kinds of
> > applications that use port 443 to circumvent corporate firewalls,
> > Squid will be doomed to be used only in environments where the priority
> > for security is low to non-existent. Just type "punching holes in corporate
> > firewalls" or "ssh tunnel proxy" in Google to see how easy it is to use an
> > SSH tunnel.
> >
> > I am the author of ufdbGuard, a filter for Squid and besides filtering
> > based on URLs, ufdbGuard also probes port 443 to see what kind of traffic
> > the server is expecting. By using probes, ufdbGuard can detect SSH tunnels,
> > popular chat protocols, etc. but it is not a 100% guaranteed solution
> > because ufdbGuard cannot not see the traffic that flows through the proxy,
> > i.e. there is not yet an interface for this type of traffic inspection.
> >
> > Marcus
> >
> >
> > On 01/05/2015 07:59 AM, Eliezer Croitoru wrote:
> > Hey Yuri,
> >
> > Indeed there are other *NIX systems and for each and every one of them
> > there is a solution in need.
> >
> > SSL Pinned destinations cannot be identified automatically since the
> > are pinned inside a software and the certificate will not show
> > anything about that.
> > The basic tests we can do are:
> > - The host is using ssl or tls or not at all(based on the selective
> > answer of the service)
> > -
> > - If the connection is using tls\ssl then inspect the components of
> > the certificate(such as rootCA validation against the local machine
> > certificates DB)
> >
> > Depend on the goal of the certificate validation the decision will be
> > made to either allow the connection "uninspected" or to "bump" it as
> > is without any smart identification.
> >
> > If indeed there is a database
> > sqlite3\mysql\postgres\redis\memcached\others it can be used in the
> > iptables level.
> > Also a point in this DB and this cache is that it will be persistent
> > so what so ever the *NIX system is there is an option once the IP +
> > port was tagged as non-bump-able it is better be in the FIREWALL level
> > override better then squid external_acl.
> > Reason: If the kernel does what it needs to do then squid should not
> > touch the packets.
> > It's not always right but it's a point in the issue.
> > I still do not know how to work with NFQUEUE and I am sure that there
> > is an option to make a fast decision and if not then let the
> > connection be BUMPED.
> >
> > I have written a small golang script that can check couple things
> > about the ssl session at:
> > http://www1.ngtech.co.il/squid/ssl_helpers/ssl_validator.go
> >
> > Besides this helper there is another script which do couple things in
> > another level.
> >
> > ##########
> > If any thing will be decided for squid internals it will be after a
> > proof of concept that we can implement together.
> > Can we take this thread to storm and put on the table a proof of
> > concept logic for ssl inspection\bumping and bypassing?
> >
> > Eliezer
> >
> > On 01/05/2015 10:40 AM, Yuri Voinov wrote:
> > >>> Sounds good,
> > >>>
> > >>> but server world is not end on Linux. ;)
> > >>>
> > >>> Now exists another *NIX systems. And will exists further.
> > >>>
> > >>> Also. I have an idea, gents.
> > >>>
> > >>> Do we can easy and quickly detect SSL Pinned destinations? And
> > >>> remember it, for example, in database?
> > >>>
> > >>> In another words - both problems is similar. Either non-HTTPS
> > >>> traffic over 443 port, or pinned certs.
> > >>>
> > >>> Can we detect both of them automatically and add to exclude list?
> > >>>
> > >>> WBR, Yuri
> >
> >> _______________________________________________
> >> squid-users mailing list
> >> squid-users at lists.squid-cache.org
> >> http://lists.squid-cache.org/listinfo/squid-users
> >>
> > _______________________________________________
> > squid-users mailing list
> > squid-users at lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQEcBAEBAgAGBQJUqo1oAAoJENNXIZxhPexGCqQIAKbEd2gclvG8FZHDS5RwotFa
> wPA+I+uLv0nfUO9whuWkJQmhCpCd0cPpyn1KVxiLe8g0CfcOu15uFZJGCOOdVjDV
> NGPsuZLZPMrhKPmZaRy4YmMw2zpbQTQXGtHmoFA2GPNaIXyG5fEAyZ1oDYTyOuz5
> djlAka3A01FE24TLT1mWREQEqb1YEtEwrzPyo5I/p5XEpnyR22ByA7Pam7cEsMXf
> +lVJSLAzcIrT6j+wp1PoJuHEUDkDlhl8aRuL3VndMk6MLkZ6TA7HLRFLx8FGzAmC
> 0fu6yEthb3QSrNnqTd0Lk22N/WTl3E0M4pYOsChSRlHByEV9RN1OiSryOAkodGU=
> =XVuO
> -----END PGP SIGNATURE-----
>
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
More information about the squid-users
mailing list