[squid-users] squid 4.10: ssl-bump on https_port requires tproxy/intercept which is missing in secure proxy method

Alex Rousskov rousskov at measurement-factory.com
Wed May 20 14:38:02 UTC 2020


On 5/20/20 6:02 AM, Matus UHLAR - fantomas wrote:
>> On 5/19/20 9:24 AM, Matus UHLAR - fantomas wrote:
>>> David, note that requiring browsers to connect to your proxy over
>>> encrypted (https) connection, and then decrypting tunnels to real server will
>>> lower the clients' security

> On 19.05.20 10:46, Alex Rousskov wrote:
>> A proper SslBump implementation for HTTPS proxy will not be "decrypting
>> tunnels to real server". The security of such an implementation will be
>> the same as of SslBump supported today (plus the additional protections
>> offered by securing the browser-proxy communication).

> If David wants to ssl-bump the traffic inside the HTTPS tunel, it means that the
> communication between browser and server has to be decrypted on squid,
> squid will talk to server using HTTPS

You are right. Due to insufficient shared terminology, we are simply
talking about two different things:

* I am talking about Squid (in a bumping HTTPS proxy role) sending
bumped requests to plain servers, exposing previously encrypted traffic.
While that is technically possible to support (in some cases) and even
occasionally explicitly requested (in a peering environment), that
should _not_ happen if the existing SslBump support is added to the
existing HTTPS proxy mode.

* You are talking about Squid (in a bumping HTTPS proxy role) inspecting
TLS traffic that the client meant for to origin servers eyes only. That
will happen, of course. This is what SslBump is about.


> My point is that David wants to provide "secure" proxy which may compromise
> the security instead by bumping connections.

Right. And my point is that adding SslBump support to HTTPS proxy does
not make things _worse_ as far as "security" and "privacy" are
concerned. Compared to using SslBump in an HTTP proxy, adding SslBump
support to HTTPS proxy may make things better. How much better depends
on your threat model, of course.

No sane person would argue that bumping is a good solution. My point was
that if you have to bump, then using an HTTPS proxy is not going to make
things worse.

It would be better if popular browsers would send plain https://... URLs
to an HTTPS proxy they trust, but they refuse to support that "GET
https" mode.


Cheers,

Alex.


More information about the squid-users mailing list