TAHNK YOU Guys ALL . so my question is in another way is : if i have squid proxy using it using the TCP_Connect way . and from the same pc and same browser and try to open facebook from 200 different address . then facebook wont have a footprint that there is 200 different addresses hit FB from the same public key /cert . i just ant to make sure there is no footprint happen . thats way i asked . let me know concerns Guys , thanks alot Guys ! > On 12 Jul 2018, at 23:35, Eliezer Croitoru <eliezer@xxxxxxxxxxxx> wrote: > > Alex, > > Just to be sure: > Every RSA key and certificate pair regardless to the origin server and the SSL-BUMP enabled proxy can be different. > If the key would be the exact same one then we will probably have a very big security issue/risk to my understanding (leaving aside DH). > > Will it be more accurate to say that just as long as these 200 squid instances(different squid.conf and couple other local variables) > use the same exact ssl_db cache directory then it's probable that they will use the same certificate. > Or these 200 squid instances are in SMP mode with 200 workers... > If these 200 instances do not share memory and certificate cache then there is a possibility that the same site from two different sources > will serve different certificates(due to the different RSA key which is different). > > Thanks, > Eliezer > > ---- > Eliezer Croitoru > Linux System Administrator > Mobile: +972-5-28704261 > Email: eliezer@xxxxxxxxxxxx > > > > -----Original Message----- > From: squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of Alex Rousskov > Sent: Thursday, July 12, 2018 11:27 PM > To: --Ahmad-- <ahmed.zaeem@xxxxxxxxxxxx>; Squid Users <squid-users@xxxxxxxxxxxxxxxxxxxxx> > Subject: Re: question about squid and https connection . > > On 07/12/2018 01:17 PM, --Ahmad-- wrote: > >> if i have pc# 1 and that pc open facebook . >> >> then i have other pc # 2 and that other pc open facebook . >> >> >> now as we know facebook is https . >> >> so is the key/ cert that used on pc # 1 is same as cert in pc # 2 to decrypt the fb encrypted traffic ? > > Certificates themselves are not used (directly) to decrypt traffic > AFAIK, but yes, both PCs will see the same server certificate (ignoring > CDNs and other complications). > > > >> now in the presence of squid . >> >> if i used tcp connect method , will it be different than above ? > > If you are not bumping the connection, then both PCs will see the same > real Facebook certificate as if those PCs did not use a proxy. > > If you are bumping the connection, then both PCs will see the same fake > certificate generated by Squid. > > > >> say i used 200 proxies in same squid machine and i used to access FB from the same pc same browser . >> >> will facebook see my cert/key i used to decrypt its traffic ? > > If you are asking whether Facebook will know anything about the fake > certificate generated by Squid for clients, then the answer is "no, > unless Facebook runs some special client code to deliver (Squid) > certificate back to Facebook". > > In general, the origin server assumes that the client is talking to it > directly. Clients may pin or otherwise restrict certificates that they > trust, but after the connection is successfully established, the server > may assume that it is talking to the client directly. A paranoid server > may deliver special code to double check that assumption, but there are > other, more standard methods to prevent bumping such as certificate > pinning and certificate transparency cervices. > > > >> is the key/cert of FB to decrypt the https content is same on all browsers on all computers ? > > If you are asking whether the generated certificates are going to be the > same for all clients, then the answer is "yes, provided all those 200 > Squids use the same configuration (including the CA certificate) and > receive the same real certificate from Facebook". Squid's certificate > generation algorithm generates the same certificate given the same > configuration and the same origin server certificate. > > > HTH, > > Alex. > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users > _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users