[squid-users] Questions Regarding Transparent Proxy, HTTPS, and ssl_bump
Amos Jeffries
squid3 at treenet.co.nz
Wed Jun 24 16:55:49 UTC 2015
On 25/06/2015 4:00 a.m., Yuri Voinov wrote:
>
> Tom,
>
> one simple question.
>
> Soon, all or almost all the Internet go into HTTPS. Why do you then need
> caching proxy?
Because HTTPS is more cacheable than HTTP. A lot of misguided developers
that go needlessly out of their way to prevent caching their http://
content omit the same in https:// (its end-to-end right? ;-). Which is
one of the several reasons HTTPS still works "fast" despite the extra
overheads of MITM decryption.
> The tunnel connection and process ACLs?
>
> My second question to Amos. Amos, what the hell do we under these
> conditions caching proxy?
Even the experts in the IETF are divided over that question. The only
thing to do right now is rollout MITM across the whole Internet to match
it. The HTTPS bumpign and decryption related threads in here and
elsewhere is a good reflection of that happening as well.
Though efforts are underway to convince the browser people to fix their
lack of TLS-to-proxy for security on http:// and cacheable DRM-style
crypto for just the payload of messages, etc. Once they accept that the
bogus arguments about http:// being "insecure" disappear.
Amos
More information about the squid-users
mailing list