[squid-users] DNS as an API - Squid-Cache version 3.5.19 RPMs
Eliezer Croitoru
eliezer at ngtech.co.il
Thu May 26 09:11:12 UTC 2016
Was published at: http://www1.ngtech.co.il/wpe/?p=273
I am happy to "Certify" Squid-Cache version 3.5.19 as
"Works For Me" on
CentOS(6+7), SLES(12SP1), Oracle Linux(6+7), RHEL(7), OpenSUSE(42.1 Leap),
Debian(8.4), Ubuntu(14.04+16.04)
HTTP is commonly used as an API for many purposes in any industry and in
many cases if you analyze an API specs and output you can see that some
thinking was invested in it.
Around the Internet we can find many ideas about API's and while some are
well published others are long forgotten and are considered "old". It is
true that when you look at some of the API's they might look "cryptic" or
"malformed" but these have a purpose. Most of these APIs was meant to be
public and as users we have access to all of them. But also many API's
requires some level of authentication or authorization which was clearly
meant to not be fully public.
Some hackers around the world see the opportunity to "hack" something when
possible. From my own API's which includes: HTTP, SMTP, DNS, WIFI HotSpot,
Moblie and many others it is clear that some might think that it's funny to
send some malformed packets towards a Router or an AP. But I feel that there
is a need to clear couple things out for any hacker.
Behind any System on the Internet there is some person which deserves
respect. The fact that the API is there means that you are not allowed to
hack it by it's owner unless it was designed for it.
When comparing the real world to the Internet API's not anyone can enter any
door or any place. Not anyone can enter a closed party or a secured area. It
would be a bit different since the minimum requirements to enter one place
would not be the same for another.
For example, in the hackers world it's known that there are ways to prove
your value and earn your "nick" or "name". Some hacking cultures are
restrictive in their approach and respect any API avoiding the flame of war.
While others think it's better to hack some API as a Proof Of Concept or a
Proof Of Knowledge.
White? Black? Green? Red? is there any meaning to all of these?
My answer is that all of these are hats, I do not have one and I do not want
one. I am a simple person who has couple very simple API's under his hands.
But I learned that to give a good example is a profession. Specifically it's
not simple to give an example for a hacking kid. If any hacking kid wants to
hack something, like in the real world, there are playgrounds for this sole
purpose and an example would be canyouhack.it <http://canyouhack.it/> . Also
these days if you want to learn how things work in the micro level we have
Lots of free and open Virtualization platforms. These exist in any part of
the Industry from the electricity level to the application.
All these tools was meant for the sole purpose of allowing the learning
curve to be easy simple and safe, to use a real world power tool in an
environment which will tolerate things which might not be acceptable in the
real world API's.
Not too far from the invention of HTTP the DNS system was invented and it's
an API like HTTP and many others. It is commonly used over UDP and has a
very limited size and format but it has power in the same level as a button
on a car dashboard. Technically it can and is being used in many places as a
trigger to some system. Indeed UDP is not reliable at the same level of TCP
but when the network equipment is trusted then there would be no reason to
not use UDP.
A list of things that can be done using a DNS service messaging:
* On\Off electrical switch
* Identity signaling(AKA Port Knocking)
* Banking transactions
* Queue status updates
* Alerts Signalling
And many other uses which can give an example to what an API can look like.
I had the pleasure to read couple books about APIs published by Nordic APIs
<http://nordicapis.com/> which gave me a fresh perspective on how others
see an API and what might happen on the wild Internet that requires
attention.
One key point which I learned from them is mentioned in the video "Good APIs
arenĀ“t built in a day" <https://www.youtube.com/watch?v=xjIiYTR-YyE>
And links to books from Nordic APIs <http://nordicapis.com/> which I had
the pleasure to read:
http://nordicapis.com/ebook-released-securing-the-api-stronghold/
http://nordicapis.com/api-security-the-4-defenses-of-the-api-stronghold/
* "Works For Me" means that it was tested on a testing environment
under real world usage in a forward proxy mode with daily usage traffic such
as Browsing News, Video, Learning and Games sites. Special applications that
was tested are SKYPE, IRC and couple other applications inside a fully
trusted network.
* An Advice: Any system which sits against a non-trusted and a hostile
public or private network should be "Harden" both in the squid configuration
level and other lower levels.
* This specific version(3.5.19) was tested also on Intercept proxy
mode and ssl-bump but only on forward-proxy and not Intercept mode.
----
Eliezer Croitoru <http://ngtech.co.il/lmgtfy/>
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer at ngtech.co.il
-------------- next part --------------
A non-text attachment was scrubbed...
Name: winmail.dat
Type: application/ms-tnef
Size: 68793 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160526/d596c608/attachment-0001.bin>
More information about the squid-users
mailing list