Hi Jason,
If you think the external acl method is too expensive to run, how do you
expect to feed this NIDS data back into squid? I think you'd find you'd
need an external acl check to do that bit anyway :-)
I should have been clearer - my use of the term feedback loop was
meant to imply that
On 08/01/15 18:41, Chris Bennett wrote:
Interesting thread so far. Has anyone thought of using Bro-IDS as a
feedback loop for some of this advanced logic for bypassing bumping?
The external acl method mentioned earlier probably out-does using some
NIDS feedback loop. In my testing it causes
On 06/01/15 05:28, Eliezer Croitoru wrote:
In 3.5 there will be present a new feature which called peek and
splice that can give an interface to squid and the admin which will
allow the admin to know couple things about the connection from squid
and specifically first the client TLS request.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Sounds good,
but server world is not end on Linux. ;)
Now exists another *NIX systems. And will exists further.
Also. I have an idea, gents.
Do we can easy and quickly detect SSL Pinned destinations? And remember
it, for example, in database?
On 01/01/15 00:11, James Harper wrote:
The helper connects to the IP:port and tries to obtain the certificate, and
then caches the result (in an sqlite database). If it can't do so within a
fairly
short time it returns failure (but keeps trying a bit longer and caches it for
next time).
Much of the discussion so far has been about bumping traffic on port 443,
bumping SSL-encapsulated HTTP traffic and not bumping (allowing)
other traffic. Since port 443 is used for many protocols, it is in many
cases dangerous to allow non-bumpable traffic: SSH tunnels using port 443
are common,
On 01/05/2015 11:11 AM, Yuri Voinov wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
And also:
don't forget about bogus homebrew internet-bankings. Which is uses bogus
SSL-certs with bogus GOST realisations. And bogus Java-based clients. All of
them also uses 443 port. And often HTTPS
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I think,
non-HTTP/HTTPS security issues is never ever Squid function.
Squid is not all-in-one-security-solution. It's only HTTP proxy.
For others security breches (i.e SSH tunnels, various browser
tunnel-related plugins, Tor etc., ) we have
Marcus, not to distract from the very important main points being discussed
here but I have to question your last line:
i.e. there is not yet an interface for this type of traffic inspection.
Is that not the whole point of Squid's ICAP interface and HTTPS bumping? Or
do you just mean that
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Wait a minute, gents.
What about ICAP? What I skipped?
05.01.2015 20:38, Douglas Davenport пишет:
Marcus, not to distract from the very important main points being discussed
here but I have to
question your last line:
i.e. there is not yet an
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 01/05/2015 05:18 PM, Yuri Voinov wrote:
We haven't filtering non_HTTP over port-443. Just recognize and
pass.
So let's separate security which is one of the goals of squid and
which some like and other don't.
For now squid 3.4 is stable and 3.5
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Agreed.
I'm expert on shell, not Perl/Python. :)
But will try to make some useful with it.
05.01.2015 22:28, Eliezer Croitoru пишет:
On 01/05/2015 05:18 PM, Yuri Voinov wrote:
We haven't filtering non_HTTP over port-443. Just recognize and
On 01/05/2015 12:38 PM, Douglas Davenport wrote:
Marcus, not to distract from the very important main points being discussed
here but I have to question your last line:
i.e. there is not yet an interface for this type of traffic inspection.
Is that not the whole point of Squid's ICAP
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
We haven't filtering non_HTTP over port-443. Just recognize and pass.
05.01.2015 21:15, Marcus Kool пишет:
On 01/05/2015 12:38 PM, Douglas Davenport wrote:
Marcus, not to distract from the very important main points being
discussed here but I
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
To return to Earth:
I think, a good idea is built-in (ma be, in ssl_crtd?) functionality to
check 443 port connection for Is an HTTPS inside? and if no, do not
bump by default.
This is so simple and fast, is it? And we can have some config option
Seems to me it would be more useful as an external ACL so that a decision
could be made based on other factors eg src or dstdomain whether to deny or
allow the un-bumpable connection.
On Sun, Jan 4, 2015 at 4:29 PM, Yuri Voinov yvoi...@gmail.com wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash:
On 05/01/15 15:44, Eliezer Croitoru wrote:
A squid helper is nice but... a NFQUEUE helper that can verify if to
FORWARD or BUMP the connection would be a better suited solution to my
opinion.
Not sure if you're ignoring the ssl-peek work, but squid still needs to
be able to peek in order for
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hey Thread(Jason,Yuri,Douglas...),
There are couple aspects about the ssl and connections in general and
as we talk about ssl port I first would like to put couple things on
the table.
* Squid is a http caching proxy and there for every feature
On 01/01/15 00:11, James Harper wrote:
The helper connects to the IP:port and tries to obtain the certificate, and
then caches the result (in an sqlite database). If it can't do so within a
fairly short time it returns failure (but keeps trying a bit longer and
caches it for next time).
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Term HTTPS often uses as Any connect over 443 port
03.01.2015 13:59, Jason Haar пишет:
On 01/01/15 00:11, James Harper wrote:
The helper connects to the IP:port and tries to obtain the
certificate, and then caches the result (in an sqlite
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 2/01/2015 1:21 p.m., Eliezer Croitoru wrote:
Hey Yuri,
You would want to avoid sqlite as far as you can due to it's Whole
DB file LOCK nature.
Indeed. My experience with SQLite has been that it is vastly slower
than other DB options even a
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 2/01/2015 4:33 p.m., Amos Jeffries wrote:
Yuri, regarding Squid packaged helpers...
Opps sorry that should have been directed at James or anyone wishing
to bundle his helper with Squid.
Distribution of any code within the Squid package
Probably non-HTTPS protocol being used.
As bumping gets more popular we are hearing about a number of services
abusing port 443 for non-HTTPS protocols on the false assumption that
the TLS layer goes all the way to the origin server without
inspection. That has never been a true
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 31/12/2014 2:12 a.m., Yuri Voinov wrote:
Hi gents,
I found strange issue.
Squid 3.4.10. Intercept. HTTPS bumping. All works fine. All configs
correct.
Whenever all web https sites works perfectly - especially in
Chrome, most cloud
Subject: [squid-users] Squid 3 SSL bump: Google drive application could not
connect
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi gents,
I found strange issue.
Squid 3.4.10. Intercept. HTTPS bumping. All works fine. All configs correct.
Whenever all web https sites works perfectly
on
behalf of Yuri Voinov yvoi...@gmail.com
Sent: Tuesday, December 30, 2014 2:12 PM
To: squid-users@lists.squid-cache.org
Subject: [squid-users] Squid 3 SSL bump: Google drive application
could not connect
Hi gents,
I found strange issue.
Squid 3.4.10. Intercept. HTTPS bumping. All
-users] Squid 3 SSL bump: Google drive application could not
connect
Only exclusion from SSL Bump as far as I know.
raf
From: Yuri Voinov yvoi...@gmail.commailto:yvoi...@gmail.com
Sent: Tuesday, December 30, 2014 3:19 PM
To: Rafael Akchurin;
squid-users
:*squid-users [mailto:squid-users-boun...@lists.squid-cache.org]
*On Behalf Of *Rafael Akchurin
*Sent:* Tuesday, December 30, 2014 4:23 PM
*To:* Yuri Voinov; squid-users@lists.squid-cache.org
*Subject:* Re: [squid-users] Squid 3 SSL bump: Google drive
application could not connect
Only
; squid-users@lists.squid-cache.org
*Subject:* Re: [squid-users] Squid 3 SSL bump: Google drive
application could not connect
Already found this lonely right post ;) I have Google-Fu too :) And it
longer than you :)
Anyway,
all of these issues solved.
I have snoop (not Windoze wireshark
Perfect thanks a lot!!!
Raf :)
From: Yuri Voinov [mailto:yvoi...@gmail.com]
Sent: Tuesday, December 30, 2014 9:23 PM
To: Rafael Akchurin; squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Squid 3 SSL bump: Google drive application could not
connect
-BEGIN PGP SIGNED MESSAGE
On Dec 30, 2014 7:04 PM, Amos Jeffries squ...@treenet.co.nz wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 31/12/2014 6:30 a.m., shawn wilson wrote:
On Dec 30, 2014 8:57 AM, Amos Jeffries wrote:
As bumping gets more popular we are hearing about a number of
services
31 matches
Mail list logo