-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 14.08.15 2:02, Marko Cupać пишет: > On Fri, 14 Aug 2015 03:38:47 +1200 > Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: > >> On 14/08/2015 12:47 a.m., Marko Cupać wrote: >>> Hi, >>> >>> a few years ago I had a working setup of squid + dansguardian which >>> was giving me ability to inspect traffic and filter it according to >>> various criteria, mainly extensions, mime types and presence of >>> malicious code (clamav). >>> >>> Lately most of the web moved to https, and dansguardian isn't >>> maintained for almost three years, which made my setup obsolete. >>> >>> Is it possible - by means of squid's peek and splice feature - to >>> inspect file extensions and mime types of https traffic? Can bumped >>> https traffic be forwarded to icap (squidclamav) for AV scanning? >> >> Doing so is the features intended purpose. >> >>> And >>> finally, would overly curious and unethical admin be able to easily >>> dump bumped data and find sensitive information there? >> >> When correctly used TLS cannot be decrypted. >> >> BUt, most use of HTTPS today is not using TLS correctly. >> >> If it could be bumped at all then it could be dumped as easily as >> inspected by an AV. >> >> Like a sharp knife can be as easily used for cutting vegetables as >> throats. Ones intent has nothing to do with the tools capability or >> lack. > > I completely agree with you, I shouldn't have mixed intent with > capability which is great and which I intend to put to good use. > > So, if I understand well, if I just send traffic to squidclamav on icap > tcp port, then I don't store usernames and passwords or private emails > in cache? I would not worry about it. No physical access to the cache such data does not pull out with proper administration. Unless, of course, do not put a proxy in a phone booth on the street. If it starts to bother me - I either start using encrypted file system, or build a completely black box - completely disable logging of user access. > > > This is important to me in order to explain the complete mechanism to > management and to create understandable policy for end users. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJVzQP8AAoJENNXIZxhPexGNDUIAMhXUmakjPIpSBlEcb2CsEZN gS3b6iTLKo2YnBqr2NU1TV9/fqrDZIqd/lszlIta5phYmkiKcRGLP4bR87+SW7ze dBGeAZeDehXWv4Ga7/YlmAB6LpWRC3Yd0lm3WTiZ/AnowcaxOHx/Q/H7DhDiIFEN HRDjRGoTcoIkNP+BC76AnrF+8MErz0cPMXLBqVCXNR+ijNCP9LBza1Y5h88QqX7U cpRaj88LsW7pQeNHNMDtO7PneNKzho/YUO+M0BTtHXw4Mdwdqt1MBViXhTTh/GP9 C5A1DDLvr384YmoG0eReEt/KVIBliTV80htmn6lYT5dJiX2Fu+TAOEjohz+nkcc= =T28k -----END PGP SIGNATURE----- _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
