[squid-users] Would it be possible to run a http to https gateway using squid?

Amos Jeffries squid3 at treenet.co.nz
Wed May 11 05:40:05 UTC 2016


On 11/05/2016 9:25 a.m., Eliezer Croitoru wrote:
> I was wondering to myself, If I can generate certificates and bump the
> connection, I can use a 302\308 to redirect all traffic from https to a
> http(intercepatble) connection.
> 
> Then on the http interceptor rewrite the request into https.

What would be the point? You already had to decrypt to do the bump and
redirect.

> 
> I have a working setup which uses a redirection "attack" to authenticate
> users over http+https.
> 
> Now the issue is that if all browsers will deny a redirection from https to
> http(a downgrading attack) then the http world would look a bit weird.
> 

Not that weird. It is called HTTP Strict Transport Security (HSTS).


> 
> And as an addition I have seen that Microsoft use and "FTP" like transfer
> protocol in their software.
> 
> They have a "secured" control channel which has certificates pinning or
> something else as a safe guard,
> and in more then one case they use another channel to fetch the request over
> plain HTTP( when a proxy is defined).
> 

You will note that this is a very cache friendly way to do crypto. The
bulky part of the content is cacheable by anyone who needs to reduce
bandwith, but remains securely verifiable and integrity checked using
the off-band details.

However, it is not what you are talking about for your tool. The above
method by MS requires intentional design in the web service with
integrity checking actually performed by the endpoints.

 Under downgrade attack conditions the endpoints would not know that the
extra work was needed so one cannot assume that it is getting done. One
of the reasons browsers are so into TLS is that the transport layer does
all the verification and leaves them able to skip perceived slow
security checks at higher levels.

> 
> Would it be reasonable to write and publish such a tool? Or is it a security
> risk to publish such a tool to the public?
> 

Up to you. AIUI is illegal in most of the world to make use of it. Like
most hacking tools if used other than for permitted penetration testing
and research purposes.

Amos



More information about the squid-users mailing list