On 25/07/2015 3:34 a.m., Yuri Voinov wrote: > > 24.07.15 21:15, Amos Jeffries пишет: >> On 25/07/2015 12:38 a.m., Yuri Voinov wrote: >>> >>> https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security >>> >>> 24.07.15 18:33, joe пишет: >>>> i dont see Strict-Transport-Security in my log header >>>> only alternate-protocol >>>> can you post an example link pls >>> > >> Note that the header may be sent over HTTP or HTTPS connection just once >> with a value of up to 68 years. And the domain will be HTTPS from then >> on as far as that client is concerned. > >> Dropping Strict-Transport-Security therefore does nothing useful. > In my setup it works for Chrome when user type "youtube.com" in command > line. Browser goes into http. Always. Great to hear. I assume they are not placing a long duration on their HSTS header then. Or that you successfully turned it off in some HTTPS you intercepted sometime. Like I said they *could* send 68 Years as the duration of non-HTTP. > >> But Squid replacing it with a new value of "max-age=0; >> includeSubDomains" will turn off the HSTS in the client for that domain. > Which Squid? I think 3.4+ . The ones supporting reply_header_access and reply_header_replace with custom header names. It was such a small rarely mentioned update I've forgotten when it happened. > >> Be careful with that though. HSTS is actually a good thing most of the >> time. No matter how annoying it is to us proxying. > This is security illusion. Which is more bad than insecure. > No HSTS is not illusion. At least not beyond the illusions offered by TLS itself (which ssl-bump shines a light on). HSTS is just telling the client to use https:// on its URLs even if the user types http:// or any page it gets contains a http:// URL. The TLS connection goes to where the user actually wanted to go, and is as secure a TLS is. Nothing transferred over plain-text HTTP that could be used to divert where the TLS was going to. All else being equal (ie assuming TLS was secure) attackers would have to control port 443 on the servers belonging to the host who happened to only be offering port 80 service. Pretty rare thing that. In contrast there *is* illusion when an http:// redirects to https:// because the http:// part can be intercepted and attacker replace the redirect URL with its own https:// URL. HSTS avoids using the redirect part at all. > > >> Regarding Alternate-Protocol; >> The latest Squid will auto-remove *always*. It usually indicates an >> protocol experiment taking place by the website being visited (ie Google >> and QUIC/SPDY) and does a lot of real damage to network security and >> usability in any proxied network. > No network security during DPI. So, all of this things is meaningless. IMHO. > DPI ? You recall why I put it in right? all the complains from people about users bypassing their security rules and not being able to identify how it was happening. It was a bit noisy in here a while back about all that. Thats what I mean by damage. If the person in charge of security don't even know where the traffic is, they got problems. > All usability we are need - HTTP does. > Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users