On Wed, 25 May 2011 16:16:54 +0000, Ming Fu wrote:
>> It is too late to alter the client certificate. By the time a
server
>> connection is opened Squid may have already served replies out of
cache
>> to the client.
>
> I am a bit surprised. Can sslbump make some https content
cacheable?
Why surprised? ssl-bumps' purpose is to remove the SSL layer on
arriving
traffic.
The data inside is just HTTP and gets handled same as any other.
Caching, filtering, alterations. Anything goes once the security
layer
is erased.
This does make me worried. For a web developer writing an https only
site,
He wouldn't bother with cache control headers the same as when he is
develop
http site. The https itself implies private to sharing. I would
expect sslbump
perverse this privacy in dealing with https traffic.
Ming
Sadly this is not new. Same problem happens in HTTP. Some webmaster
jumps on "no-cache" or "no-store" instead of "private". Sets it site
wide instead of just the personal pages. Proxy admin see a site forcing
constant reloads on static images that don't ever change, set a
site-wide ignore-nocache. Everything goes sour.
All SSL does is verify that the other endpoint is trusted or not by the
particular client. This is why ssl-bump feature only works in LAN
situations where the proxy CA can be installed on worker PCs.
Reverse-proxy have always done the mirror image of bump, where the
website cert can be installed on each edge proxy https_port and signed
by a major CA that everybody trusts. LAN which want to bump have always
been able to setup their own reverse-proxy with DNS records and MITM the
HTTPS.
Amos
