On Sun, 29 May 2005, Florian Effenberger wrote:
is it possible to only permit SSL traffic on CONNECT? When I have CONNECT on
443 open, a user could theoretically open up its own server listening on port
443 and tunnel through my proxy...
Squid doesn't care today.
In theory you could look for SSL fingerprinting of the forwarded traffic,
but you should realize that this will only make the determined users
tunnel their stuff over SSL, and also risks false rejects especially
considering future versions of SSL not known to your protocol
fingerprinting.
A more viable option is to use IDS type technology to detect known forms
of abuse, and take appropriate action on the users found to violate your
policy. On the other hand if you can not take noticable actions when abuse
is found then there isn't much to gain in uppering the level and it's
better to use these tools to document that these things is going on
motivating a change in policy allowing actions to be taken.
Detecting things like SSH, POP3, SMB etc over the CONNECT method is
relatively trivial at the packet level by an IDS. Also extending Squid to
have the IDS hooks builtin shouldn't be hard.
Regards
Henrik
