Re: [squid-users] SSL is a security hole

From: Henrik Nordstrom <[email protected]>
Date: Fri, 7 Mar 2003 12:13:40 +0100

On Friday 07 March 2003 09.13, Christoph Haas wrote:
> On Fri, Mar 07, 2003 at 12:25:26AM +0100, Henrik Nordstrom wrote:
> > You can always use IDS tools like snort and the like to detect
> > such strange traffic patterns.
>
> But how can snort tell one SSL connection from the other?

You can very easily tell a SSH connection from a SSL connection.

> I would love to add this to my personal (empty so far) wishlist of
> Squid features. On my mind Squid is a security component and
> minimize as many security holes as possible.

Squids primary job is HTTP proxying, not firewalling.

> If Squid would offer such a man-in-the-middle feature that would
> surely mean that users will always get the Squid SSL certificate
> and won't be sure who is on the other peer. But that would be the
> best solution IMHO.

If using a SSL man-in-the-middle then clients have to put full trust
into the man-in-the-middle. This includes trusting whatever
certificate the man-in-the-middle presents to the user, and trusting
the man-in-the-middle to verify any SSL certificates received from
the origin servers, and also trusting the man-in-the-middle in
providing client certificate identification to the origin servers if
needed/wanted.

Regards
Henrik
Received on Fri Mar 07 2003 - 04:10:32 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:13:57 MST