W dniu 2014-05-07 15:40, Marcus Kool pisze: [...] >> certificate chain: >> Certificate chain >> 0 s:/CN=*.gateway.messenger.live.com >> i:/DC=com/DC=microsoft/DC=corp/DC=redmond/CN=MSIT Machine Auth CA 2 >> 1 s:/DC=com/DC=microsoft/DC=corp/DC=redmond/CN=MSIT Machine Auth CA 2 >> i:/CN=Microsoft Internet Authority >> 2 s:/CN=Microsoft Internet Authority >> i:/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root > > There is a misunderstanding here. > Skype does not use SSL, it only uses port 443 which is commonly used > by SSL, > but skype knows that there is a proxy and uses the CONNECT method to > get a tunnel from Squid. > Squid (without SSL-bump) than simply "tunnels" (i.e. passes everything > from the client to the server and back). > But _with_ ssl-bump Squid assumes that the CONNECT is for a SSL > connection and this assumption is wrong. Sorry, but you are wrong. Skype *IS* using ssl like you can see on example above. That example was made on openssl -connect ip.from.sniffing.my.own.skype:443 and as you can see, it's a proper SSL connection. But, no one of us have any idea what is the native protocol, all what we can figure out it is SSL connection. This is some kind of protocol over SSL. > > This is entirely correct. Skype has too many features that bypass > security measures and the worst is that Skype has an API which any 3rd > party program (including a virus) can use. > So think twice before allowing Skype. > Absolutely agreed with you. Regards; Pawel Mojski