On 08/12/2018 06:57 PM, Julian Perconti wrote: >> De: Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx> >> Enviado el: domingo, 12 de agosto de 2018 20:50 >> Para: Julian Perconti <vh1988@xxxxxxxxxxxx>; squid-users@xxxxxxxxxxxxxxxxxxxxx >> Asunto: Re: About SSL peek-n-splice/bump configurations >> >> On 08/12/2018 04:09 PM, Julian Perconti wrote: >>> I would like to know which of these two cfg's are "better" or "more secure" >>> when a site/domain is spliced, bumped, etc. >> It is impossible to answer that question without knowing how _you_ define >> "better" or "more secure". > I tried to meant, "security" from the client-side accessing to a > non-bumped or spliced site, i.g.: bank website... client-side > "privacy" or an a -real- man-in-the-middle attack due to squid in the > middle. A splicing Squid does not perform a man-in-the-middle attack on TLS or HTTP traffic. It essentially acts as a TCP/IP-level proxy and can log TLS handshake details. In some environments, doing all that improves "privacy" and "security". In others, it makes things worse (for some definition of "privacy" and "security"). A bumping Squid performs a man-in-the-middle attack on TLS traffic. After a successful attack, it essentially acts as an HTTP-level proxy and can log or even alter TLS and HTTP traffic. In some environments, doing all that improves "privacy" and "security" (for some definition of "privacy" and "security"). In others, it makes things worse. You would have to ask a much more specific question to get a more specific (but still correct) answer. > Is well-known that there is no system /network/o.s. 100% secure but, > I dont know why, I always thought or stil think that with a https > proxy/filtering, the security or "the things" tooggles more risky if > this one did not exist. Even squid 100% correctly configured and > server well secured. There are examples where deploying a splicing or even bumping Squid improves security of the humans and/or machines that are trusting Squid to examine and/or police their traffic. There are counter-examples as well. And I am sure that many installations can be viewed as both, depending on who gets to define "privacy", "security", and the "right balance" between the two. > What does squid when I dont specify the step? Bugs notwithstanding, Squid should either * bump if you were staring during the previous (explicitly configured) step or * splice otherwise (including cases when no previous step was explicitly configured or existed). I would not rely on this (correct) behavior without testing (at least) your Squid version (at least). I know that early SslBump implementations had bugs in that area. > For example: > > What does squid do with..: > ssl_bump splice step3 noBumpSites Assuming there are no other rules, Squid should splice at step1 (see the "splice otherwise" rule above). > ...And what it do instead with this?: > ssl_bump splice noBumpSites Assuming there are no other rules, Squid should splice at step1. It will do that when noBumpSites matches (naturally) and if noBumpSites does not match (per the "splice otherwise" rule above). > So, Would You prefer option 2? Sorry, I cannot answer this question -- too many unknown variables. It is like asking a doctor whether she prefers to treat the patient with drug A or drug B when the doctor does not know what the patient is suffering from and what the patient's treatment preferences/goals are. >>> with Option 1 I don't see the domain in "TUNNEL" line, just the IP >>> addr.) >> I doubt that is how it is supposed to work. When splicing, Option 1 should >> have the same or more information so it should log the domain name if >> Option 2 has the domain name. If you are comparing log lines for identical >> transactions, then this could be a Squid bug. > I dont know, I just tell what happen in the access.log when I > switching between these ssl_bump configs. Yes, and I am just describing what should be happening (IMO). If what is actually happening bothers you, and it does not match what should be happening, and nobody comes up with a better explanation, then consider filing a bug report and working with developers to address the problem. HTH, Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
