[squid-users] after changed from 3.4.13 to 3.5.8 sslbump doesn't work for the site https://banking.postbank.de/
Amos Jeffries
squid3 at treenet.co.nz
Tue Sep 29 09:16:55 UTC 2015
On 29/09/2015 5:20 p.m., Yuri Voinov wrote:
> Don't think so we can detect pinned apps automatically. You need find it
> manually this time AFAIK.
Correct. There is no way for Squid to know that some app running on a
separate client device, installed a random time earlier via another
network contains crypto keys. Or what they are used for when not
transmitted over the network.
>
> 29.09.15 2:29, HackXBack пишет:
>> Yuri, Dear friend.
>> use splice HAA ? ok and how you cant detect automatically to make squid
>> splice the pinned app automatically ?
>> other wise , it is a real problem if cant detected automatically ,
>> and in
>> my opinion it is a bug .
Completely unknown state in the remote client-end environment is not a
bug in the server software. It is not even a bug in the client software,
since this exact outcome is the designed purpose of cert pinning.
Do not forget that ssl-bump is an MITM injecting itself forcibly into
the private conversation between the client and server.
** When TLS is used properly HTTPS cannot be ssl-bumped. **
Cert pinning is not quite "properly" IMHO. But its close enough to ideal
to prevent bump working.
The only way to know about cert pinning is to inspect investigate the
client app. That means manually at present.
NP: I have no idea or opinion about whether the site in question is
doing pinning or not.
Amos
More information about the squid-users
mailing list