On 05/10/14 18:44, Amos Jeffries wrote: > PS. Google with Chrome appear these days to be the champions of > unbreakable TLS, their software is continually being updated to > use/invent new TLS features that close loopholes in TLS design which > allow ssl-bump to take place. What worked last month has no guarantee > of working today, same again next month. That can't be right? I mean, sslbump doesn't rely on any "bugs" - it is simply a CA and so any browser that thinks it's a CA should be happy going to any https website using appropriate certs signed by that CA? I know Chrome has *cert pinning* (ie they hardwired the CAs that Google knows *.google.com uses into Chrome), but that isn't a "loophole". sslbump seems to work as well as can be expected. But pinning also appears to be growing in stature (Firefox now does it too), so there are less and less sites that sslbump can work on. I wanted to use sslbump so that we could run AV and filtering on https links, but pinning means our "exclude list" of https sites is getting larger and larger - and includes Cloud providers the badguys are housing their malware on - which means our AV still can't catch it :-( -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
