On 25/09/2015 7:13 a.m., Yuri Voinov wrote: > > First. This is potentially dangerous. Can you guarantee your proxy never > has physical/network access by intruders? HTTPS can contain sensitive > data. You really sure you want problems with users? AS a minimum you > need protect your proxy at level B2 (by Orange Book). No more so than regular HTTP. Particularly now that "TLS everywhere" is getting popular amongst the big providers HTTPS sensitivity is being diluted. HTTPS messages have the same Cache-Control requirements as unencrypted HTTP. Squid obeys them just the same too. What you do have to watch out for is protocol abuse in squid.conf like refresh_pattern overrides and ignores. Those are what causes dangerous trouble, and they do the same with plain HTTP. Proxy admin doing things like that and breaking HTTP is part of whats making HTTPS popular to begin with. > > Second. Yes, it dangerous, but possible with SSL Bump. With very > agressive cache parameters and with conjunction previous sentence. So, > this is dangerous for many sites - for it's functionality and security, > in general. > Problems with SSL-Bump are more legal related than technical. > You still sure you want to do this? > Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
