On 05/07/2014 06:44 AM, Pawel Mojski wrote:
W dniu 2014-05-07 04:52, Jay Jimenez pisze:
Hi Marcus and Amos,
[...]
I'm wondering if there's someone who successfully allowed Skype to
fake CONNECT to squid (I'm referring to interception not explicit
proxying). I cannot fully implement https interception until I find a
solution to properly intercept Skype.
Many thanks in advance for all the help.
It is very difficult to implement it on squid, but, theoretically you
may bypass any sslbumping to remote-side which intruduce self with this
certificate chain:
Certificate chain
0 s:/CN=*.gateway.messenger.live.com
i:/DC=com/DC=microsoft/DC=corp/DC=redmond/CN=MSIT Machine Auth CA 2
1 s:/DC=com/DC=microsoft/DC=corp/DC=redmond/CN=MSIT Machine Auth CA 2
i:/CN=Microsoft Internet Authority
2 s:/CN=Microsoft Internet Authority
i:/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
There is a misunderstanding here.
Skype does not use SSL, it only uses port 443 which is commonly used by SSL,
but skype knows that there is a proxy and uses the CONNECT method to get a
tunnel from Squid.
Squid (without SSL-bump) than simply "tunnels" (i.e. passes everything from the
client to the server and back).
But _with_ ssl-bump Squid assumes that the CONNECT is for a SSL connection and
this assumption is wrong.
You can *try* to prepare own external acl helper to check it.
Skype transmission by desing is ssl over 443 tcp port, but if skype
detects that remote server introducing with wrong certificate, then just
drop connection.
We can't even check if transmision is really http over ssl, it might be
anything.
But, the most important question is why you want to do it?
Leaving skype goes through you are opening your local network for really
don't know what. It can be any transmission, file sharing, remote
desktop, you name it. So, all your security mechanisms you can throw
away, useless with open skype.
This is entirely correct. Skype has too many features that bypass security
measures and the worst is that Skype has an API which any 3rd party program
(including a virus) can use.
So think twice before allowing Skype.
Marcus
Regards;
Pawel Mojski
