-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 31/12/2014 6:30 a.m., shawn wilson wrote: > On Dec 30, 2014 8:57 AM, "Amos Jeffries" wrote: >> > >> >> As bumping gets more popular we are hearing about a number of >> services abusing port 443 for non-HTTPS protocols on the false >> assumption that the TLS layer goes all the way to the origin >> server without inspection. That has never been a true assumption, >> CDN frontends have always decrypted. >> > > OT but you use 443 because people expect it to be encrypted web > data and don't block it. And DPI doesn't tell you anything more. > "web" is no longer just HTTP and that is part of the problem. People treating port 443 as if any of the "web" protocols can use it just by being wrapped in TLS. Port 443 is specifically registered for "HTTP over TLS" (aka HTTPS). "Web" includes HTTP, but also includes protocols like RSS, WebSockets, SPDY, QUIC, COAP, even IRC and Jabber at times. The other non-HTTP protocols have other non-443 ports registered or available for their use. Some like SMTP even switch their main port between encrypted and non-encrypted as needed. I know it can be hard to get unusual ports opened past firewalls, but that is not being helped by everything using only a handful of ports. [I have a long rant at this point about lazy corporates, but its 2015 in a few hrs so I'll drop it for now]. Amos -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJUoz1SAAoJELJo5wb/XPRjjysH/0qwbyyOk8gIqziA5gU2h5FX ztcvM6gMxNSUWkZ68Duc7MSP+5D5LfWpGUuGoIvsqV2ovMY5CT1hFKNsk/JyvAsH NORSS1EYwns0z8ftlJi0h5//YdzFIVX5BAbGmDuUQuIsGcm3Yxjofn91YU4wlkM1 QfnPfBXRJKeXUkDaAsC+OiK1SgMpFb7WwGnbkqaTZZYM1qjETbWlujJGQK0Ipz+v NIKATGdksa1cYxkb91J6G8Y9hJBAYkxMIQi1n+cvQ1ntDqBUn5bHK9LTS8/7Ledm yzc27NNqHSgGY3FwfjNaHjIoNaJTukcH6WA/qBlJF4wz/uSZ/ZD4QMsGidmmNaE= =JXLa -----END PGP SIGNATURE----- _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
