I made the SSH tunnel approach work. I can use Putty on my windows box easily enough. I gotta say though 1) it is slower (noticeably!) 2) it is cumbersome. BUT I think it is a temp solution till I decide what to do and maybe figure out how stunnel may work for me (since it is on the server that runs the proxy, and I am not clear yet on how it can help) Thanks -----Original Message----- From: Chris Lightfoot [mailto:chris@xxxxxxxxxxxxxxxxxxxxxxxx] On Behalf Of Chris Lightfoot Sent: Wednesday, June 28, 2006 4:01 PM To: Aaron Gray Cc: Subject: Re: Squid use SSL ALWAYS? On Wed, Jun 28, 2006 at 11:07:01AM -0700, Aaron Gray wrote: > I have squid working perfectly as a caching proxy server. > If I access my squid proxy server from a network that has some kind of > "sniffing" software, they can see the headers are HTTP headers (even though > it is on a weird port) and still identify where your going and read all the > plain text HTML. > > Is there any way to make it so that when I connect to the squid proxy and > authenticate (which I require based on my ACL) that it creates a SSL > connection (or something similar) to where all traffic is encrypted even if > the destination page is not a https website? I want to hide the plain text. as others have suggested, you can use an SSL tunnel for this application. You could also use SSH's port forwarding facilities. However, note that this will not prevent an attacker with access to the network from discovering that you are using HTTP -- the pattern and timing of requests sent and replies received is likely to be quite characteristic of the protocol. This sort of traffic analysis will not reveal which web pages you are viewing (unless your client leaks that information in other ways, for instance by doing DNS queries for them) but it will reveal that you're using HTTP, or another similar protocol. -- ``My teacher's face when he worked out what I was doing was a picture. A picture of howling existential despair. So no change there, then.'' (Dominic Fox, on abbreviations)
