[Hmmm, word wrap please!]
On Tue, Dec 15, 1998 at 10:00:33AM +1000, Graham Maltby wrote:
> What are the implications (security or other) of removing the restriction on what
>port squid will make SSL connections.
>
> We have a particular web site that is using port 2000 for thier SSL server, "to
>improve security". To allow this through the proxy i've added 2000 to the SSL_ports.
> Can someone explain the need for this ACL (SSL_ports)?
>
SSL_ports is necessary to stop Squid being used as a generic "hole" through
which nasty users can tunnel out of your nice firewall-protected network.
As HTTPS involves end-to-end encryption exchanges, the proxy in the middle
cannot be involved in crypt-negotiations - so it has to just act as a
tunnel. As such this is a "security hole" as anything could be done through
that tunnel - instead of the HTTPS traffic we were expecting.
All Web proxies suffer from this problem.
Basically SSL_ports limits the ports on which this "hacking" could work - it
really isn't a fix tho... :-(
--
Cheers
Jason Haar
Unix/Network Specialist, Trimble NZ
Phone: +64 3 3391 377 Fax: +64 3 3391 417
