On 5/20/20 6:02 AM, Matus UHLAR - fantomas wrote: >> On 5/19/20 9:24 AM, Matus UHLAR - fantomas wrote: >>> David, note that requiring browsers to connect to your proxy over >>> encrypted (https) connection, and then decrypting tunnels to real server will >>> lower the clients' security > On 19.05.20 10:46, Alex Rousskov wrote: >> A proper SslBump implementation for HTTPS proxy will not be "decrypting >> tunnels to real server". The security of such an implementation will be >> the same as of SslBump supported today (plus the additional protections >> offered by securing the browser-proxy communication). > If David wants to ssl-bump the traffic inside the HTTPS tunel, it means that the > communication between browser and server has to be decrypted on squid, > squid will talk to server using HTTPS You are right. Due to insufficient shared terminology, we are simply talking about two different things: * I am talking about Squid (in a bumping HTTPS proxy role) sending bumped requests to plain servers, exposing previously encrypted traffic. While that is technically possible to support (in some cases) and even occasionally explicitly requested (in a peering environment), that should _not_ happen if the existing SslBump support is added to the existing HTTPS proxy mode. * You are talking about Squid (in a bumping HTTPS proxy role) inspecting TLS traffic that the client meant for to origin servers eyes only. That will happen, of course. This is what SslBump is about. > My point is that David wants to provide "secure" proxy which may compromise > the security instead by bumping connections. Right. And my point is that adding SslBump support to HTTPS proxy does not make things _worse_ as far as "security" and "privacy" are concerned. Compared to using SslBump in an HTTP proxy, adding SslBump support to HTTPS proxy may make things better. How much better depends on your threat model, of course. No sane person would argue that bumping is a good solution. My point was that if you have to bump, then using an HTTPS proxy is not going to make things worse. It would be better if popular browsers would send plain https://... URLs to an HTTPS proxy they trust, but they refuse to support that "GET https" mode. Cheers, Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
