Hey Xen,
I am not really a proxy expert and I am not really such a great security
guy but both you and Amos are right.
There are cases which revealing an internal IP address is a bad
practice. Also there are other ways to identify the internal host which
causes issues.
In the specific case of 127.0.0.1 it really doesn't help a thing in most
cases.
Leaving aside horror stories from reality you might know much(as you
declared) about proxies and I must invite you to the squid world of proxies.
It's a great place to learn about http and many other things in general.
The squid-uses is not a busy list but it is a great one.
Take your time and ask or discuss, this is the place for that.
There are sensitive systems that actually hides themselves behind a
proxy since one of the names of a http proxy is "application layer
firewall".
It is a common usage of squid and other proxies.
Do yourself a favor and leave books and movies on the desk for a second.
please do that.
I am not sure if you ever seen a room of jumpy IT managers that jumps
because of some new bug but I have seen it couple times and it's amazing
from what they jump.
If you take some vulnerabilities and actually try to understand what and
how they do what they do, you understand why some of them are not a real
threat.
Just back to the specific 127.0.0.1.. it's really nothing. it's like
saying "I am a human I have a head".
If you feel like it's something you don't want to give up on feel free
to change the ERROR page, it is a common practice to replace them or use
custom ones.
If it what makes you sleep at night then be it.
Leaving the 127.0.0.1 case aside banks do tend to not disclose internal
IP addresses and it's a common sense if you have the right tools to give
the user a nice and well formatted message that was audited by a
security team.
Is it security? definitely maybe!
Just a sentence about the Internet, It's a nice and lovely place with
lots of roses, wild animals and humans but squid is there to help all
these who actually needs a http application level firewall system.
So please leave jumpy IT managers and horror stories aside so you would
just have enough memory and space for the reality.
And I have a scene just for you to have some laugh time:
https://www.youtube.com/watch?v=FW2Q0W2V4q0
The above video is a demonstration of what fiction does when a jumpy IT
manager meets a security sales man.
All The Bests,
Eliezer
On 27/09/2015 12:46, Xen wrote:
Again, impressed by your knowledge. But I'm not really arguing against
your knowledge. It is basically a principle choice to /call/ one thing
security and the other privacy based on the impression or experience
that the one thing provides actual defenses or benefits in certain
common scenario's and the other doesn't. Perhaps that is pertinent to
software security, but in that case it is a very specific field and you
are going to define "security" in a very constrained way.
Basically, it is then more of a normative statement "what do me and my
buddies consider good enough" rather than a statement of definition.
You are basically arguing that in (all) real world scenarios (of
software/web/server security) the obscurity thing tends to converge on
irrelevance. But even that is true, it is still not a defining
characteristic, so to speak.
<SNIP>
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
