Search squid archive

Re: acl for redirect

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 26/06/2015 8:40 p.m., FredB wrote:
> Mike, you can also to try the dev branch https://github.com/e2guardian/e2guardian/tree/develop 
> SSLMITM works now. The request from the client is intercepted, a spoofed certificate supplied for 
> the target site and an encrypted connection made back to the client.  
> A separate encrypted connection to the target server is set up.  The resulting 
> http dencrypted stream is then filtered as normal.

If that order of operations is correct then the e2guardian dev have made
the same mistake we made back in Squid-3.2. client-first bumping opens a
huge security vulnerability - by hiding issues on the server connection
from the client it enables attackers to hijack the server connection
invisibly. This is the reason the more difficult to get working
server-first and peek-n-splice modes exist and are almost mandatory in
Squid today.

Amos

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux