On 07/08/2014 08:17 PM, David Marcos wrote: > b. HTTP Strict Transport Security (HSTS): Some pages flat-out > reject any SSL bumping due to HSTS. I am using Chrome, which I'm sure > aggravates the issue. Is there a way to configure Squid to get around > HSTS? (Yes, I know this may be a dumb question given how HSTS works, > but would appreciate any insight.) HSTS is an active area of research so I do not have final answers for you, but my current understanding is: a) HSTS itself is more-or-less compatible with SslBump. If you can successfully convince an HTTP client to trust the Root certificate used by Squid, then sites visited by that client will not violate any standard HSTS rules. b) Bumping errors unrelated to HSTS may be misinterpreted as HSTS-related errors because the browser says "I cannot render that site because of HSTS". What the browser means, in some cases, is that "I do not trust that site [because there was a bumping problem] and HSTS rules prevent me from showing you the sites I do not trust". In this particular case, HSTS is mostly irrelevant. Once you fix the true cause of distrust and, everything should work. c) If a browser or browser plugin "pins" a certificate to a site, it will not trust any other certificate for that site, possibly resulting in HSTS errors. See item (b) above for why these are not actually HSTS errors. In this case, there may be no solution -- you cannot force the browser to unpin the certificate if that pinning was hard-coded. Corrections welcomed! HTH, Alex.