On 31/08/2016 5:25 a.m., Marcus Kool wrote: > Do I understand it correctly that Squid in normal proxy mode > allows malware to do a CONNECT to any destination, while in > transparent proxy mode does extra security checks which causes > some regular (non-malware) clients to fail? Intercepted traffic has different processing applied, different assumptions made about the traffic, and different security model relevant to its messages. The short answer is "yes", but reality is not that simple black/white. > > And philosophical questions: is Squid the right tool > to stop malware? If yes, is it acceptable that connections > of regular (non-malware) clients are wrongly dropped? No more or less than any software. Squid manages the HTTP that flows through it. If the malware uses HTTP messages to communicate then it very much part of Squid's job to prevent that. Other protocols Squid is not responsible for, except to prevent itself being a vector of attack. > > IMO Squid should do all it can to be a secure proxy. Which is the case for Host forgery atacks. If Squid did not MITM the network traffic, there would not be a vulnerability to Host forgery issues. Therefore an intercept/tproxy Squid is very much responsible for preventing this particular type of attack which it causes to exist. A forward-proxy or reverse-proxy does not have that vulnerability, therefore does not need to check the same things. > Doing security checks on connections in an attempt > to stop malware sounds like a job for an antivirus / IDS tool. > Additional to what Squid does. Indeed many of those tools use a proxy service which performs the same or similar checks to what Squid does, with far more intrusive behaviour, or are themselves also vulnerable to becoming vectors of the Host attack(s). The Host attack(s) are vulnerability built into the concept of MITM'ing HTTP(S) traffic. It is not something specific to Squid. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users