On Dec 30, 2014 7:04 PM, "Amos Jeffries" <squid3@xxxxxxxxxxxxx> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 31/12/2014 6:30 a.m., shawn wilson wrote:
> > On Dec 30, 2014 8:57 AM, "Amos Jeffries" wrote:
> >>
> >
> >>
> >> As bumping gets more popular we are hearing about a number of
> >> services abusing port 443 for non-HTTPS protocols on the false
> >> assumption that the TLS layer goes all the way to the origin
> >> server without inspection. That has never been a true assumption,
> >> CDN frontends have always decrypted.
> >>
> >
> > OT but you use 443 because people expect it to be encrypted web
> > data and don't block it. And DPI doesn't tell you anything more.
> >
>
> "web" is no longer just HTTP and that is part of the problem. People
> treating port 443 as if any of the "web" protocols can use it just by
> being wrapped in TLS.
>
Worse than that - I'm mainly thinking ssh (which won't survive DPI).
> Port 443 is specifically registered for "HTTP over TLS" (aka HTTPS).
> "Web" includes HTTP, but also includes protocols like RSS, WebSockets,
> SPDY, QUIC, COAP, even IRC and Jabber at times.
>
> The other non-HTTP protocols have other non-443 ports registered or
> available for their use. Some like SMTP even switch their main port
> between encrypted and non-encrypted as needed.
>
> I know it can be hard to get unusual ports opened past firewalls, but
> that is not being helped by everything using only a handful of ports.
> [I have a long rant at this point about lazy corporates, but its 2015
> in a few hrs so I'll drop it for now].
>
My point isn't even about "lazy corporates" but this: how many airlines will block ssh over port 22 and how many will block it over 443? (And if that doesn't work OpenVPN on 443 and ssh through that) I assume Google thought along similar lines when they talked about which port to put their binary Drive data on.
You want people to stop using 443 for non-https traffic, get people to stop blocking the other ssl ports.
This is OT but here's the topical point - if you're going to bump http+ssl traffic, you need to know that due to some people blocking alternative ports for secure services, you'll always see non-http traffic here. The IETF might give you a port but only smart long term business decisions will allow you to keep it - that's far past over for 443/tcp at this point I think :/
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users