[squid-users] possible to intercept https traffic in TCP_TUNNEL CONNECT method ?
Antony Stone
Antony.Stone at squid.open.source.it
Sat Oct 22 13:54:27 UTC 2016
On Saturday 22 October 2016 at 15:42:23, --Ahmad-- wrote:
> Hi guys
> say that i have squid proxy sever
> and i was running capturing traffic on that server .
You mean using ICAP or ECAP service?
> say that all users were using ip:port —> ((tcp_connect tunnel))) mode of
> squid
I'm not sure what you mean here - are you saying the clients are configured to
use the proxy, or that the proxy is operating in intercept mode, and the
clients don't know?
> the question is being asked here … will i be able to see https traffic like
> Facebook as normal traffic ? or encrypted ?
You can always see the encrypted traffic - you don't need Squid for that - just
run tcpdump, wireshark or similar on a router between your clients and the
Internet. Encrypted traffic isn't going to tell you much, though.
> the question in other way …. is it possible to hack https traffic and see
> it as not encrypted ?
Yes - you perform a Man-in-the-Middle attack, which requires configuring the
clients to accept fake certificates from Squid by trusting its built-in
Certificate Authority. In other words, you cannot do it without clients
knowing that the certificate presented by Squid does not belong to the site
they're visiting.
Also, all technical possibilities aside, it may well be illegal for you to do
this, depending on where you are and who your users are.
See http://wiki.squid-cache.org/Features/SslPeekAndSplice and
http://wiki.squid-cache.org/SquidFaq/ContentAdaptation for more details.
Antony.
--
"Life is just a lot better if you feel you're having 10 [small] wins a day
rather than a [big] win every 10 years or so."
- Chris Hadfield, former skiing (and ski racing) instructor
Please reply to the list;
please *don't* CC me.
More information about the squid-users
mailing list