[squid-users] Re: grab password from url

From: Adam Aube <[email protected]>
Date: Fri, 07 Jan 2005 17:32:50 -0500

Luca Marchiori wrote:
> Henrik Nordstrom wrote:

>> So your real question is if it is possible to determine with the help of
>> Squid if this employee is uploading confidential information to a third
>> party web site.

> We already know the employee is uploading confidential information to the
> internet.

Then turn over your proof to local law enforcement, and let them deal with
it - you don't need the username and password for this.

>> Generally speaking, if the web site is https based then all you can see
>> is the amount of traffic going in both directions

> Already done! HTTPS. Traffic confirm our suspect. We need user/password

Due to the design of SSL, Squid cannot see the contents of HTTPS traffic.
This includes the URL, so it is not possible to get the username and
password this way.

>> In an ethical point of view stealing the users personal login details to
>> this third party web site by analyzing his traffic is very dubious in my
>> view, and probably illegal in many countries.

> My customer knows all. He pays me for technical things and he will pay
> lawers for them things.

I would suggest YOU speak with an attorney to make sure you adequately
protect yourself - it would be easy for your customer to simply say "I
never asked him to do that" if this backfired on him.

All your customer's money an lawyers won't do you any good if he decides to
pin the blame on you to save himself.

>>You surely should be able to make up better approaches in
>>proving/disproving the claims of Internet connection abuse.

> Already done with a HW keylogger (fantastic toy !).

If you are using such a "fantastic toy", then you should already have the
username and password - unless it's not quite so "fantastic".

Adam
Received on Fri Jan 07 2005 - 15:32:59 MST

This archive was generated by hypermail pre-2.1.9 : Mon Mar 07 2005 - 12:59:35 MST