Re: [squid-users] How Bad is CONNECT and Should I Prevent It?

From: K K <kkadow@dont-contact.us>
Date: Fri, 22 Jun 2007 12:45:35 -0500

On 6/21/07, Chuck Kollars <ckollars9@yahoo.com> wrote:
> I think what we really need is just the much simpler
> blacklist/whitelist capability. If we can
> transparently intercept, and give a
> thumbs-up/thumbs-down to every destination IP address
> (perhaps after doing a reverse DNS lookup on it),
> that's all we need.

No need to transparently intercept for this, and no need for new code.
Just configure the client to proxy SSL via Squid, and use the existing
ACLs to set the policy for the 'CONNECT' method, similar to what I
showed in a previous post in this thread.

> In my experience, fingerprinting the type of traffic
> turns out to not be very useful ...after all the
> difficulty of implementing it. Why?

Fingerprinting is relatively easy, but is not nearly as effective (or
invasive) as doing true MITM where you actually break the end-to-end
encryption to inspect the payload.

> 1) There's "legitimate" traffic on 443 that's not web
> traffic (for example LogMeIn or SSH). Forbidding
> everything that's non-web is just shooting yourself in
> the foot.

I strongly disagree: LogMeIn and SSH-over-443 are illegitimate, and
should be forbidden in any environment with real security policy (that
is, anywhere except a public ISP).

> 2) A big problem is https: proxies, as they're real
> easy to use and will completely bypass all filters.
> But they _do_ look like web traffic, so they couldn't
> be forbidden by reasonable fingerprinting.

True. That's where a blacklist/whitelist for general HTTPS traffic comes in.

Or better yet, use real MITM interception, and the https: proxies no
longer bypass your filters, since no SSL/TLS traffic can make it out
of your network alive.

Kevin
Received on Fri Jun 22 2007 - 11:45:39 MDT

This archive was generated by hypermail pre-2.1.9 : Sun Jul 01 2007 - 12:00:04 MDT