The host is still known from the request header, and is not encrypted in https, only the data in the body of the request and reply is encrypted, if the headers were encrypted a proxy would never be able to direct the request to the origin server. Here is a direct copy from a raw TCP data capture of a login to my home web server. CONNECT www.myhostinghome.net:443 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4 Proxy-Connection: keep-alive Host: www.myhostinghome.net HTTP/1.0 200 Connection established ...........II-....`.9..$........Q6z...j...D ..q........... ....@.8b.....7O"F.D. .......9.8.......5.........E.D.3.2.........A...../......... ..... [...snip...] This is the reason you won't find any forms on a decent secure site using the GET method as the data submitted will still be visible to anyone in the middle. Thanks, Dean Weimer Network Administrator Orscheln Management Co -----Original Message----- From: Matus UHLAR - fantomas [mailto:uhlar@xxxxxxxxxxx] Sent: Wednesday, December 17, 2008 11:02 AM To: squid-users@xxxxxxxxxxxxxxx Subject: Re: RES: block https requests On 16.12.08 13:51, Ricardo Augusto de Souza wrote: > I AM used to block sites using: > > > acl bad_sites dstdomain "/etc/squid/bad_sites.txt" > > http_access deny bad_sites > > > > With this my users cannot access all domains listed in > "/etc/squid/bad_sites.txt" using http but they can access using https. squid does not see what's in https requests, they are enctypted. That's that the "s" means (secure): only client and server know what's inside, nobody other. you can disable CONNECT method to those hots. You may need to disable CONNECT to IP addresses. Or you may do an MITM attack and use sslbump (which means, https won't be secure anymore for your clients). Clients will detect it - they will see certificate mismatch (since you won't be able to provide anyone's certificate but yours) > How do I solve this? disable https? -- Matus UHLAR - fantomas, uhlar@xxxxxxxxxxx ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Support bacteria - they're the only culture some people have.
