Search squid archive

Re: How to avoid Squid disclosing the origin server IP when there is an error

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Again, impressed by your knowledge. But I'm not really arguing against your knowledge. It is basically a principle choice to /call/ one thing security and the other privacy based on the impression or experience that the one thing provides actual defenses or benefits in certain common scenario's and the other doesn't. Perhaps that is pertinent to software security, but in that case it is a very specific field and you are going to define "security" in a very constrained way.

Basically, it is then more of a normative statement "what do me and my buddies consider good enough" rather than a statement of definition.

You are basically arguing that in (all) real world scenarios (of software/web/server security) the obscurity thing tends to converge on irrelevance. But even that is true, it is still not a defining characteristic, so to speak.

And I am just not that experienced in securty. I barely know about side channel attacks because I did read one paper on a memory access (latency) "localhost" attack on I believe OpenSSH or something that required a local account to manipulate cache hits/misses.

And my math was just not up to par to understand it :p.

But I must say the way they narrowed down the possible set (or chains) of keys based on known information was very interesting.


On Sun, 27 Sep 2015, Amos Jeffries wrote:

1) security by obscurity does not work.

Seriously, that is just dogma being repeated over and over by people who just heard it one time and accepted it as their own truth, without really thinking it over. Security by obscurity works very well,

This tells me you dont have much actual experience with security, or not low-level enough. Real experience with attacks and working on 0-day tools is better than even just "thinking it over". Thats what I based my statement on. Though I do adopt the industry phrase to get the idea across clearly.

But it's just not true. If all the world thinks that way and then devises systems and setups where it is practically useless, then it is still not true. Also, obscurity is not intended to defend against single-point-of-interest attacks. Or anything that makes you a really interesting target to those who already know you.

The point and the problem is that this industry phrase is a judgement that really closes off thinking. You might even start missing out on opportunies that might help you. I mean, to give this example again.

Perhaps it is not relevant when you have (or someone has) excellent scanning tools and all that. But usually, in the physical world, and in many many situations, thereof, there is certainly knowing or not knowing "the terrain". If you know where you are, for example, but your pursuer does not, it is obviously easier to escape. Now, if that pursuer was using helicopters, satellites, automatic camera surveillances and analysis, and tracking dogs to top it off :p, it would become a kind of different situation.

So perhaps in (computer) security the status quo is that attackers and defenders both have access to that level of sophistication in every instance. And if information is almost never capable of being hidden, well, then perhaps you'd better become a brick wall, or better yet, a nuclear shelter.

In lesser situations though it becomes perfectly clear that if you know how something works and someone else doesn't, you can use that to your advantage. You may not want to call that "security" but I would call it "escaping with my life".

There is something about masculine 'security' and feminine 'security'. The one you are advocating is like masculine. Strong defenses. Not relying on luck, or surrendering to the flow of things. Certainty at every level. Guarantees. But often in life you also have to proceed based on confidence and intuition alone, and you may need to trust that conditions will meet where you want to be, when you get there.

If you are exposed anyway because you are a big business and all that, there is already a design choice being made. Within certain choices already having been made, the resulting 'security landscape' is also informed by that choice or those choices.

Then, given that practical reality, you end up in a status quo where some truths seem to hold. One of these conclusions may be "security by obscurity is not security". But that still doesn't make it true. It makes it dogma that is only true provided some well-established conditions remain in force. That means it is not universal but more of a "rule of fist" (Dutch phrase) -- a best practice or guideline you can always rely on.

But it is actually a vulnerability. An attacker that is creative enough will see your (that) (not wanting to insult here) fixed mindset and know the blind spots that result from this fixation in thinking. This person would think "hey, that's curious". "They left this possibility open". "It just doesn't occur to them that anyone would do that".

I'm sorry, I was just like responding to that phrase alone, not necessarily to this subject of CDN networks and this particular error message, although the same holds true. My apologies.

It's just that that industry phrase, as you term it, is repeated so often that even a security layman as myself must have heard it uttered at least a dozen times in my own experience on mailing lists and perhaps more on the web. It is a mantra, but the fact that people feel it needs to be repeated constantly means that it doesn't come intuitive or instinctive. And that means that in general people don't agree with it. These disagreeing people are then called stupid in one way or another.

Sometimes you just have to stick to what makes sense intuitively to know the real truth. Because you might learn something new that people overlook.

And even if you know ...like nothing about security. You may still be able to devise a better system. If you understand the fundamentals better. If you can avoid the mistakes that were made prior to it. If you can unlock a secret. If you can travel to the moon through a gateway no one knew about ;-).

Not for sane security. For privacy. The two are different, though
complimentary.

Then you (or the industry, as per you) has just reverted to calling the masculine type of security "security" and the feminine type of security "privacy" and warped both concepts in the process. It is more of a statement as to what you consider "worthy" than that it is about what it really is or comes down to.

All I know is that disregarding "privacy" can make you feel very /unsafe/. I will agree that this is not the same as feeling "secure" or "insecure". Security to my mind has more to do with having set up the required prerequisites required to counter any attack or problem. Security then revolves around feeling content that you have done what is necessary in the event of something happening. Privacy is meant to make the likelihood of that event happening, less or lower. Your situation can be extremely "insecure" in that sense but you can still make it out "unscathed" due to your level of privacy.

There is some line from some book about not telling your left hand what your right hand knows, that pertains to this ;-).

To take your analogy; walking into the town square keeping your mouth closed dressed in a cape and mask while someone is firing a machine gun all over the place will see you just as dead.
They won't know who you are, but you'll still be dead.

If that is the environment you operate in, well, good luck :p.

Most of the time in the real (physical) world the situation is that there are a lot of *potential* attackers (sometimes just about everyone) but attack only happens as soon as you are 'identified'. Cloak and dagger might not be that bad. I would agree that this is not an ideal situation to have for a 'living' but in this condition your real 'security' is going to be rather fragile regardless. You always need *some* level of "real" security, even if it is nothing more than your hideout in the mountains. I knew a guy who put traps in his vehicle and residences.

Person breaks into his car and starts to ignite it. But the ignition has been altered and the chambre is flooded with a sleeping gas. ;-).

Real world too. They are just Russian. Someone broke into his "vacation house" and the room automatically locked itself, flooded with water up to neck level, and alerted the authorities automatically. I have had a rock in my hands that was 3 billion years old. Andromeda :p.

You may not call that security but it sure works by obscurity ;-).

But it does *not* tell that. HTTP is multi-hop. All the error message
states is that 127.0.0.1 *somewhere* is unavailable. Good luck defining
"somewhere".

All it tells with certaintly is that there is at least one proxy operating. Attackers have zero information about whether that server is the origin server or just another proxy. They also dont have any info from that page about how many proxies down the chain the error was generated. Either way if erver X was the target they have to get to server X through the proxy they are already contacting and/or profiling, and cannot do so due to it being down and unavailable.

It could as easily be one of these scenarios:

<snip>

Good luck if its the third one. Which is actually quite popular with all
the major CDN.

Alright thanks for the information. I would still not be unhappy about this information if I was interested in something.

In a system relying on obscurity the effort required is near zero.
System profiling takes under 10 HTTP messages and attack scan to find
the obscured vulnerability takes however many needed to scan through
CVE/0-day the attacker or their tools knows about for that combo of
software.

Back in the day (I've read that book that Assange cooperated on) 'hackers' were dealing with systems they knew nothing about, including how to program for it. You can say that did not make it terribly secure as eventually "they" found out. It did take a lot of effort though. When they learned, the first wrote a port/host scanner on that system, and after a time he came across a banking system that spewed out credit card information on first connect. Nothing required. Completely and only "protected" by obscurity, as it seems, as it was. Of course you can't rely on that.

But know this.

In a world where all important software is open source (as per "obscurity is not security) and if you stick to that, and your system is identified, then this attacker needs only use his toolkit or whatever advanced toolkit he can get / write. I'm thinking there are a bunch or a lot of female hackers these days too though. Maybe even 10%. Women understand this better.

What if, instead, you had a customized version of that software unique to your system. Many a hacker needs to study the exact version or environment of the software he wants to attack?.

Just by simple adjustment you can render any and all toolkits worthless.

This toolkit is actually a mass-targetting feature. You can perfectly devise defenses that counter it. It requires obscurity. Then your attacker suddenly needs to gain access to your binaries or source code. You now have an information advantage that is momentous. The toolkit is a feminine attack on a masculine defense, and hence successful. Obscurity, real obscurity ;-) always requires dedication on a single target to defeat it. Passwords are a form of obscurity, by the way. They are called secrets :p.

And what does published documentation have to do with proxy A failing to connect to some upstream server? This thread is not about documentation, its about whether or not some admin has secured their CDN proxy.

Well actually I thought it was about whether this user considered the error message a vulnerability to his own system. I guess your response is "secure so it won't matter". Whenever someone gives me that sort of reassurance, I know I'm in danger ;-). But I think you already know the answer to your own question.

The same applies to attacking a system. If the cost becomes too high for the benefit that can be gained, people will just leave a system alone.

It is important.

Now that is dogma. Probably true most of the time, but still experience
(and a bit of thinking) uncovers cases where it is false.

Not sure what you mean. In general that would mean the cost is not too high? Or maybe there just is no cost to doing something. Or someone believes there is something to be gained anyway?

The world of proxies :D.

It is a negative statement about availability with the property that
when its *not* happening one still cannot be certain about up/down
status on the particular server application.

Alright, good information. But I think this user was primarily concerned with the basic unpleasantness of any such information being shown? Practical impossiblity does not equate to fundamental uselessness. Just because something ... I guess I'm a bit stupid at this point, but just because you can be /pretty sure/ that nothing bad can happen doesn't mean it then becomes good practice to just go and flaunting it. You *are* depending on your perfect or sufficient knowledge of the entire system. That level of dependence might cause butt-hurt. If you happen to have missed something your negligence of precaution may suddenly cause a bite mark somewhere ;-). Just saying, you know.

* If the attacker did manage to trigger this event they have no certinty
about whether it was their action or a combination of their action and
some other parallel traffic they are unaware of.

You are way cool you know. Seriously, mean it. Like I'm talking to the expert of experts ;D. :).

How does that strike you for height on the bar?

I'd take on the challenge lol. In due time, maybe in a previous life. ;-).

LOL!

The one attack where this is useful is a DoS attack, where it is a sign
that DoS is happening, but since ther is clearly a proxy involved the
Dos success/fail state is still uncertain. Proxies have this ability to
limit DoS to particular clients and/or present different variants of
response to different requests. So the attack request may be getting
this error while regular traffic does not even notice.

Above my head at this point.. Even if you could use this feedback as an indication of DDoS (DoS) success ... well I guess it could warrant conditions for a further stage that would be impossible or too dangerous without it. Dunno. I know that this level of knowledge or feedback can be quite vital though. Sometimes if a feedback mechanism fails you are just left without recourse to proceed. I really hate that. I hate those people :P. LOL.

I'm no hacker, just pretending to be one to some people at some times ;-P.

Seriously. I'm just a stupid person ;p.

This is slightly incorrect. Protecting the server requires protecting it, not hiding. Proxy offers a higher bar to DoS attacks, and added complexity of software HTTP interptetations and ACLs that need to be broken or bypassed before any attack is successful.

I mostly meant "hiding" as a form of encapsulating. I mean, the webserver could be on an internal network, right? It is not anymore hidden than your couch in your living room is hidden. Not everything has to be global IP exposed.

Personally I like this idea of connecting with e.g. VPN or whatever and then using a service that only answers to e.g. 127.0.0.1.

You can see how beginner I am :P.

You still have to place the protections in both proxy and server to gain
those proxy benefits. At which point the server location starts to mean
almost nothing in terms of protection.

Do you mean that given adequate firewall settings a connect will be impossible anyway from a host that is not supposed to?

And at that point given this adequate or perfect design, any other precaution is rendered redundant?

Having the server on the same host as the proxy adds the localhost hardware protections. That is all. Then exposes it to side effects of CPU consumption attacks made against the proxy which would not be an issue if it were separate.

Right. I believe separate-host service or provision is important anyway. Such as not storing audit logs on the same machine.

That high CPU consumption is just one normal peak traffic case for a
proxy. So it can occur almost on demand if an attacker chooses. Squid is
designed to continue operating under those conditions. Servers and in
particular "application layer" stuff is much more fragile.

Not sure what you mean. You're saying that although Squid might be vulnerable to this scheme, it is not really of greatest interest given other vectors?

I guess application layer flaws account for the vast majority of break-ins?

Not sure, it seems that way. The higher you get in your coding (such as PHP) the easier it is to make mistakes or leave things open. Apart from C and its inherent weaknesses. PHP is like designed to have a nest of vipers that will bite you if you stick your hand in. Whatever.

I mean it is mandatory for each proxy along the chain to send headers
detailing the hosts and protocols the message has passed over. One
ambiguous detail in a rarely occuring error message is the hard way to
get any info which is spewed forth on every request. And on diagnostic
requests is presented "on a silver platter" as the saying goes.

Right. I'm sorry, I was not very cognisant of that. I never studied these header responses from e.g. CDNs. It also seems weird that this information is mandatory.

Aye, it is prettier as well if this information is not shown/leaked.

Then dont use that error template. Eliezer pointed out how. When it does
occur it presents the minimum of vital debugging information necessary
to resolve the outage.

Aye, I'm not necessarily saying it would be a flaw or mistake or error of the Squid proxy, just that perfection is not guaranteed if this is the default :p.

This error message is specifically designed to reveal those two details
of URL and which server was down. Such that it can be identified and
fixed. So this does not qualify as a vulnerability leak.

That doesn't follow, but whatever ;-) :).

In reverse-proxy cases the end user receiving it is perhapse not the
best target, the log would be better. Patches making the distinction are
welcome.

Aye, I guess that was the point. It would not matter to me if this was a forward proxy. It is pretty damn helpful that Squid tells me what host was down in a nice graphical page. For a regular forward proxy being informed like that is supremely helpful.

I'm not really in the position to do any coding at this point though in other systems, no matter how much I would love to get more familiar with code of projects that interest me. But thanks for the offer.

I usually have no need, for instance, for detailed database connection
failure reports. It is ugly and exposes a lot of internals to your user.
A common user will also be thinking "what is this shit?". It is not
tailored for the presentation that was created for the website proper.
If anything, an error message like that would need to get a message page
that is in line with the semantics/display/appearance of the page/site
itself. Just to be consistent and keep the encapsulation intact.

This is what errorpage.css config file is for. Reverse-proxy
installations should use it to brand their proxy generated responses.

:-) and welcome. If you would like to help improve the error messages,
patches to update the templates are welcome.

But be aware that proxies have a very wide set of use-cases to cater
for, so eliminating details is not always the best choice. The case in
point being that the detials being a worry to some now are critical for
ISP installations to report, but not reverse-proxy. We ride the fine
line between relevance and leaks.

;-). I guess that was the point. It is merely for reverse proxies that it is worrisome, I guess.

I barely even know what a reverse proxy is. Okay, I do. Slightly.

:p.

Thanks man.

Oh I'm gonna stop responding like this in detail because for some reason my email client (Alpine) has stopped prepending > to the replying-to-message for some reason and I don't know why or how or how to stop it :p.

Makes it rather tiresome to quote stuff.

Regards...
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux