[squid-users] Would it be possible to run a http to https gateway using squid?

Eliezer Croitoru eliezer at ngtech.co.il
Mon May 16 00:53:45 UTC 2016


Hey Amos,

You are right that it seems like there is no point since you already 
decrypt the connection.
But in the real world the price of maintaining an encrypted session for 
many users for a long period is not the same as maintaining them for 
short burst.

Since all YouTube traffic is done on HTTPS it would be pretty simple 
with these days tools to use some kind of a "https to http bridge" 
software that would
fetch the pages for the clients(most of the pages are tiny) and it will 
help the clients to be able to handle less secured traffic.

I know that with these days hardware it's almost not needed but inside a 
trusted network there is no point for using end to end HTTPS.(to my 
understanding)
Some will might not believe that there are trusted networks in the wild 
but I know that these do exist and in many of these such a GW is required.

Eliezer

On 11/05/2016 08:40, Amos Jeffries wrote:
> On 11/05/2016 9:25 a.m., Eliezer Croitoru wrote:
>> I was wondering to myself, If I can generate certificates and bump the
>> connection, I can use a 302\308 to redirect all traffic from https to a
>> http(intercepatble) connection.
>>
>> Then on the http interceptor rewrite the request into https.
> What would be the point? You already had to decrypt to do the bump and
> redirect.
>
>> I have a working setup which uses a redirection "attack" to authenticate
>> users over http+https.
>>
>> Now the issue is that if all browsers will deny a redirection from https to
>> http(a downgrading attack) then the http world would look a bit weird.
>>
> Not that weird. It is called HTTP Strict Transport Security (HSTS).
>
>
>> And as an addition I have seen that Microsoft use and "FTP" like transfer
>> protocol in their software.
>>
>> They have a "secured" control channel which has certificates pinning or
>> something else as a safe guard,
>> and in more then one case they use another channel to fetch the request over
>> plain HTTP( when a proxy is defined).
>>
> You will note that this is a very cache friendly way to do crypto. The
> bulky part of the content is cacheable by anyone who needs to reduce
> bandwith, but remains securely verifiable and integrity checked using
> the off-band details.
>
> However, it is not what you are talking about for your tool. The above
> method by MS requires intentional design in the web service with
> integrity checking actually performed by the endpoints.
>
>   Under downgrade attack conditions the endpoints would not know that the
> extra work was needed so one cannot assume that it is getting done. One
> of the reasons browsers are so into TLS is that the transport layer does
> all the verification and leaves them able to skip perceived slow
> security checks at higher levels.
>
>> Would it be reasonable to write and publish such a tool? Or is it a security
>> risk to publish such a tool to the public?
>>
> Up to you. AIUI is illegal in most of the world to make use of it. Like
> most hacking tools if used other than for permitted penetration testing
> and research purposes.
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users



More information about the squid-users mailing list