Hey Amos,
You are right that it seems like there is no point since you already
decrypt the connection.
But in the real world the price of maintaining an encrypted session for
many users for a long period is not the same as maintaining them for
short burst.
Since all YouTube traffic is done on HTTPS it would be pretty simple
with these days tools to use some kind of a "https to http bridge"
software that would
fetch the pages for the clients(most of the pages are tiny) and it will
help the clients to be able to handle less secured traffic.
I know that with these days hardware it's almost not needed but inside a
trusted network there is no point for using end to end HTTPS.(to my
understanding)
Some will might not believe that there are trusted networks in the wild
but I know that these do exist and in many of these such a GW is required.
Eliezer
On 11/05/2016 08:40, Amos Jeffries wrote:
On 11/05/2016 9:25 a.m., Eliezer Croitoru wrote:
I was wondering to myself, If I can generate certificates and bump the
connection, I can use a 302\308 to redirect all traffic from https to a
http(intercepatble) connection.
Then on the http interceptor rewrite the request into https.
What would be the point? You already had to decrypt to do the bump and
redirect.
I have a working setup which uses a redirection "attack" to authenticate
users over http+https.
Now the issue is that if all browsers will deny a redirection from https to
http(a downgrading attack) then the http world would look a bit weird.
Not that weird. It is called HTTP Strict Transport Security (HSTS).
And as an addition I have seen that Microsoft use and "FTP" like transfer
protocol in their software.
They have a "secured" control channel which has certificates pinning or
something else as a safe guard,
and in more then one case they use another channel to fetch the request over
plain HTTP( when a proxy is defined).
You will note that this is a very cache friendly way to do crypto. The
bulky part of the content is cacheable by anyone who needs to reduce
bandwith, but remains securely verifiable and integrity checked using
the off-band details.
However, it is not what you are talking about for your tool. The above
method by MS requires intentional design in the web service with
integrity checking actually performed by the endpoints.
Under downgrade attack conditions the endpoints would not know that the
extra work was needed so one cannot assume that it is getting done. One
of the reasons browsers are so into TLS is that the transport layer does
all the verification and leaves them able to skip perceived slow
security checks at higher levels.
Would it be reasonable to write and publish such a tool? Or is it a security
risk to publish such a tool to the public?
Up to you. AIUI is illegal in most of the world to make use of it. Like
most hacking tools if used other than for permitted penetration testing
and research purposes.
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
