Re: [squid-users] Block specific HTTPS site from Amos Jeffries on 2011-10-11 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 12 Oct 2011 12:57:26 +1300

On Tue, 11 Oct 2011 21:21:23 +0100, Alex Crow wrote:
> On 11/10/11 16:53, Luis Daniel Lucio Quiroz wrote:
>> 2011/10/11 Alex Crow<alex_at_nanogherkin.com>:
>>> On 11/10/11 14:29, Eduardo Porte wrote:
>>>> Hi!
>>>>
>>>> I'm trying withou success to block the site:
>>>> https://www.hidemyass.com.
>>>>
>>>> My question is, how can I block some specifics HTTPS sites and
>>>> allow
>>>> others?
>>>>
>>>> In this example, I need to block only https://www.hidemyass.com.
>>>>
>>>> Which ACL in squid.conf should I use ?
>>>>
>>>>
>>>> Tks.
>>> Are you using transparent mode? If so, you can't block HTTPS.
>>>
>>> Alex
>>>
>> He hasn't tell it is transparent.
>>
>> Because HTTPS is crypted, you can only block IP or domain name,
>> block the domain .hidemyass.com with dstdomain acl, this should work
>>
>> LD
>> http://www.twitter.com/ldlq
> He did now, and my assumption was correct. I can't guarantee it will
> always be, but most of the time it seems that people think that
> transparent mode can filter HTTPS.
>
> I think I am becoming the default "HTTPS stuff does not work in
> transparent mode"/"if you have control of the network - do PAC/WPAD
> instead" guy on this list.
>
> Amos - can we move this to the top of the "common gotchas" in the
> FAQ? This must be about the 4th query with the same cause this month.

I'm suspecting its because there is a group of people actively
advertising interception and decryption now as a good thing. There are
still some limits still in place on intercept, but these are falling
away gradually as the corporate admin hack away in quest of absolute
control over the workers communications. I expect SSL will be as open
and vulnerable as HTTP is now in just a few years.

I've added a bit more documentation to the HTTPS page and bumped the
MITM section to the top.
http://wiki.squid-cache.org/Features/HTTPS

> BTW, I sent you a logfile re: 3.2 auth, didn't make it to the list,
> did you get it?

Nothing came in this last week IIRC. I have unfortunately not had time
to go over many of the auth bugs for the last few months. Just one in
Digest handling. If it was before that, its probably in my TODO list of
emails.

Amos
Received on Tue Oct 11 2011 - 23:57:35 MDT

This archive was generated by hypermail 2.2.0 : Wed Oct 12 2011 - 12:00:02 MDT