Search squid archive

Re: peek and splice content inspection question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
 


14.08.15 2:02, Marko Cupać пишет:
> On Fri, 14 Aug 2015 03:38:47 +1200
> Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:
>
>> On 14/08/2015 12:47 a.m., Marko Cupać wrote:
>>> Hi,
>>>
>>> a few years ago I had a working setup of squid + dansguardian which
>>> was giving me ability to inspect traffic and filter it according to
>>> various criteria, mainly extensions, mime types and presence of
>>> malicious code (clamav).
>>>
>>> Lately most of the web moved to https, and dansguardian isn't
>>> maintained for almost three years, which made my setup obsolete.
>>>
>>> Is it possible - by means of squid's peek and splice feature - to
>>> inspect file extensions and mime types of https traffic? Can bumped
>>> https traffic be forwarded to icap (squidclamav) for AV scanning?
>>
>> Doing so is the features intended purpose.
>>
>>> And
>>> finally, would overly curious and unethical admin be able to easily
>>> dump bumped data and find sensitive information there?
>>
>> When correctly used TLS cannot be decrypted.
>>
>> BUt, most use of HTTPS today is not using TLS correctly.
>>
>> If it could be bumped at all then it could be dumped as easily as
>> inspected by an AV.
>>
>> Like a sharp knife can be as easily used for cutting vegetables as
>> throats. Ones intent has nothing to do with the tools capability or
>> lack.
>
> I completely agree with you, I shouldn't have mixed intent with
> capability which is great and which I intend to put to good use.
>
> So, if I understand well, if I just send traffic to squidclamav on icap
> tcp port, then I don't store usernames and passwords or private emails
> in cache?
I would not worry about it. No physical access to the cache such data
does not pull out with proper administration. Unless, of course, do not
put a proxy in a phone booth on the street. If it starts to bother me -
I either start using encrypted file system, or build a completely black
box - completely disable logging of user access.
>
>
> This is important to me in order to explain the complete mechanism to
> management and to create understandable policy for end users.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
 
iQEcBAEBCAAGBQJVzQP8AAoJENNXIZxhPexGNDUIAMhXUmakjPIpSBlEcb2CsEZN
gS3b6iTLKo2YnBqr2NU1TV9/fqrDZIqd/lszlIta5phYmkiKcRGLP4bR87+SW7ze
dBGeAZeDehXWv4Ga7/YlmAB6LpWRC3Yd0lm3WTiZ/AnowcaxOHx/Q/H7DhDiIFEN
HRDjRGoTcoIkNP+BC76AnrF+8MErz0cPMXLBqVCXNR+ijNCP9LBza1Y5h88QqX7U
cpRaj88LsW7pQeNHNMDtO7PneNKzho/YUO+M0BTtHXw4Mdwdqt1MBViXhTTh/GP9
C5A1DDLvr384YmoG0eReEt/KVIBliTV80htmn6lYT5dJiX2Fu+TAOEjohz+nkcc=
=T28k
-----END PGP SIGNATURE-----

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux