-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 5/10/2014 7:30 p.m., Jason Haar wrote: > On 05/10/14 18:44, Amos Jeffries wrote: >> PS. Google with Chrome appear these days to be the champions of >> unbreakable TLS, their software is continually being updated to >> use/invent new TLS features that close loopholes in TLS design >> which allow ssl-bump to take place. What worked last month has no >> guarantee of working today, same again next month. > That can't be right? I mean, sslbump doesn't rely on any "bugs" - > it is simply a CA and so any browser that thinks it's a CA should > be happy going to any https website using appropriate certs signed > by that CA? The CA system itself is the design flaw. No I would not go so far as to say "bug" (thats code) but "loophole" and "flaw" are more appropriate for a system design problem. The intention and design of TLS/SSL is to prevent third-party intermediaries (is Squid) inntercepting communications (is ssl-bump) and looking at what the traffic inside is. Anything that lets a third party access is by definintion a flaw in the TLS protocol design. > > I know Chrome has *cert pinning* (ie they hardwired the CAs that > Google knows *.google.com uses into Chrome), but that isn't a > "loophole". > Yes, cert pinning, HSTS, hard coded google.com CA certificates ... whatever they can think of next. > sslbump seems to work as well as can be expected. But pinning also > appears to be growing in stature (Firefox now does it too), so > there are less and less sites that sslbump can work on. I wanted to > use sslbump so that we could run AV and filtering on https links, > but pinning means our "exclude list" of https sites is getting > larger and larger - and includes Cloud providers the badguys are > housing their malware on - which means our AV still can't catch it > :-( > MSIE 11 seems to be growing in popularity for some reason ;-) Amos -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJUMRvXAAoJELJo5wb/XPRjJIYIAJHx4z+EVNklXjSIqdmOuqeu 6ZHajLCDm/yGt6+JyLvJARNkVtfL2buiw4PbgLqJ+mHWpTFiU0Jvat3JX1vVPmMx IgpgmMVTV185Rv12V3CrFFVNAfAgqVjgCgP5tYiJ6idAzOpLUaWfEHNzMtrCmg+s /yNr9may7zbi8HxUw22Egjj565Dfp0eB3zGGGNiUunrQ9CkI/hBHtWAoMTKk6oFE I923uzi6Kmmuidmw+9WFM38VsKHslspu3/celZT7uVj2QrqDYzrh7Li5dLbL42W3 /WcJu90PJngUkY9E2RFcJoq7cppFR6stnO9sytuSS1lhOCY4MRTUCrYrCy1y2YU= =d/33 -----END PGP SIGNATURE----- _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users