[squid-users] squid youtube caching

Amos Jeffries squid3 at treenet.co.nz
Fri Jul 24 20:44:32 UTC 2015


On 25/07/2015 3:34 a.m., Yuri Voinov wrote:
> 
> 24.07.15 21:15, Amos Jeffries пишет:
>> On 25/07/2015 12:38 a.m., Yuri Voinov wrote:
>>>
>>> https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
>>>
>>> 24.07.15 18:33, joe пишет:
>>>> i dont see Strict-Transport-Security  in my log header
>>>> only alternate-protocol
>>>> can you post an example link pls
>>>
> 
>> Note that the header may be sent over HTTP or HTTPS connection just once
>> with a value of up to 68 years. And the domain will be HTTPS from then
>> on as far as that client is concerned.
> 
>> Dropping Strict-Transport-Security therefore does nothing useful.
> In my setup it works for Chrome when user type "youtube.com" in command
> line. Browser goes into http. Always.

Great to hear. I assume they are not placing a long duration on their
HSTS header then. Or that you successfully turned it off in some HTTPS
you intercepted sometime.

Like I said they *could* send 68 Years as the duration of non-HTTP.

> 
>> But Squid replacing it with a new value of "max-age=0;
>> includeSubDomains" will turn off the HSTS in the client for that domain.
> Which Squid?

I think 3.4+ . The ones supporting reply_header_access and
reply_header_replace with custom header names. It was such a small
rarely mentioned update I've forgotten when it happened.


> 
>> Be careful with that though. HSTS is actually a good thing most of the
>> time. No matter how annoying it is to us proxying.
> This is security illusion. Which is more bad than insecure.
> 

No HSTS is not illusion. At least not beyond the illusions offered by
TLS itself (which ssl-bump shines a light on).

HSTS is just telling the client to use https:// on its URLs even if the
user types http:// or any page it gets contains a http:// URL. The TLS
connection goes to where the user actually wanted to go, and is as
secure a TLS is. Nothing transferred over plain-text HTTP that could be
used to divert where the TLS was going to.
 All else being equal (ie assuming TLS was secure) attackers would have
to control port 443 on the servers belonging to the host who happened to
only be offering port 80 service. Pretty rare thing that.

In contrast there *is* illusion when an http:// redirects to https://
because the http:// part can be intercepted and attacker replace the
redirect URL with its own https:// URL. HSTS avoids using the redirect
part at all.


> 
> 
>> Regarding Alternate-Protocol;
>>  The latest Squid will auto-remove *always*. It usually indicates an
>> protocol experiment taking place by the website being visited (ie Google
>> and QUIC/SPDY) and does a lot of real damage to network security and
>> usability in any proxied network.
> No network security during DPI. So, all of this things is meaningless. IMHO.
> 

DPI ?

You recall why I put it in right? all the complains from people about
users bypassing their security rules and not being able to identify how
it was happening. It was a bit noisy in here a while back about all that.
Thats what I mean by damage. If the person in charge of security don't
even know where the traffic is, they got problems.


> All usability we are need - HTTP does.
> 


Amos


More information about the squid-users mailing list