Hi there
I've started testing sslbump with "ssl_bump server-first" and have
noticed something (squid-3.4.5)
If your clients have the "Proxy CA" cert installed and go to legitimate
https websites, then everything works perfectly (excluding Chrome with
it's pinning, but there's no way around that). However, if someone goes
to a https website with either a self-signed cert or a server cert
signed by an unknown CA, then squid generates a "legitimate" SSL cert
for the site, but shows the squid error page to the browser - telling
them the error
The problem with that model is that it means no-one can get to websites
using self-signed certs. Using "sslproxy_cert_adapt" to allow such
self-signed certs is not a good idea - as then squid is effectively
legitimizing the server - which may be a Very Bad Thing
So I was thinking, how about if squid (upon noticing the external site
isn't trustworthy) generates a deliberate self-signed server cert itself
(ie not signed by the Proxy CA)? Then the browser would see the
untrusted cert, the user would get the popup asking if they want to
ignore cert errors, and can then choose whether to trust it or not. That
way the user can still get to sites using self-signed certs, and the
proxy gets to "see" into the content, potentially running AVs over
content/etc.
...or haven't I looked hard enough and this is already an option? :-)
Thanks
-- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1Received on Mon Jul 14 2014 - 03:57:16 MDT
This archive was generated by hypermail 2.2.0 : Fri Jul 18 2014 - 12:00:04 MDT