Search squid archive

Re: How Bad is CONNECT and Should I Prevent It?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 19.06.07 19:18, Vadim Pushkin wrote:
> I am only looking to inspect each SSL connection for the purposes of 
> determining if the traffic should be allowed, i.e. non-malicious (not chat, 
> file-transfer, etc).

If anyone was able to see content under SSL protocol, this would mean that
SSL protocol is unsafe and doesn't fullfill it's main requirement that noone
will see what's transferred in it, unless the proxy does MITM attack and
client does not recognize that it's not really talking to the destination
server. (which can be checked by verifying SSL certificates).

There is probably one possibility to avoid this bu the proxy generating SSL
certificate for each destination server and signing it by authority that
client trusts. Oh.

However, proxy server can do inspection of the data flowing via CONNECT,
because CONNECT does NOT mean SSL. You can issue CONNECT and talk through
using HTTP, FTP, NNTP, IRC, SSH protocol etc. So it is possible to inspect
if client/server do not use this protocol and optionally deny it. However,
when client imediately issues SSL negotiation, we can not do wnything with
it.

> Can anyone recommend such a product?  Also, I should mention, I am not 
> looking to spend alot of money.

I'm afraid that such content inspectors won't be very cheap

> Are their any plans on the roadmap to do this sort of traffic analysis 
> within Squid?

You still may submit a wishlist bugreport, but I guess that inspection
should be done outside of squid, maybe by some CONNECT helper or what...

-- 
Matus UHLAR - fantomas, uhlar@xxxxxxxxxxx ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I intend to live forever - so far so good. 

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux