Re: Squid in a school - problems with https

To: Phillip Deackes <gsmh@gmx.co.uk>
Cc: debian users <debian-user@lists.debian.org>
Subject: Re: Squid in a school - problems with https
From: martin f krafft <madduck@madduck.net>
Date: Sun, 4 Nov 2001 20:33:18 +0100
Message-id: <[🔎] 20011104203318.A28167@fishbowl.madduck.net>
Mail-followup-to: Phillip Deackes <gsmh@gmx.co.uk>, debian users <debian-user@lists.debian.org>
In-reply-to: <20011104191614.04c300bb.gsmh@gmx.co.uk>
References: <[🔎] 20011104180237.06066b11.gsmh@gmx.co.uk> <20011104195133.A25928@fishbowl.madduck.net> <20011104191614.04c300bb.gsmh@gmx.co.uk>

[cc'ing to debian-user since this is about the 15th time i am
answering this question... which i am glad to do, don't get me wrong!]

* Phillip Deackes <gsmh@gmx.co.uk> [2001.11.04 19:16:14+0000]:
> Thanks, Martin. Could you explain a little more, please. I am
> primarily a teacher, so only have a certain level of networking
> expertise. I am not sure how I would put your advice into practise.
> I understand in principle - port 443 carries ssl traffic, port 80
> carries all the normal http traffic. I need to tell squid to deal
> with port 80 traffic only. How would I make squid forward ssl
> requests to our external proxy?

HTTPS (HTTP over SSL, port 443) is encrypted traffic building on
Diffie-Hellman certificates. These help to ensure identity of the
server as well as disclosing the real data from third-parties by
encrypting them.

think about it:

(a) iff squid were able to cache HTTPS data, it would mean
it has to be able to decrypt that traffic. if squid can decrypt it, so
could everyone else. (yes, i know, SSL has been cracked. ergo: TLS).
DH certificates are pairs on all counts, there is no way to introduce
a third key into the encryption scheme (as it *is* possible with
RSA/DSA asymmetric encryption as used e.g. by PGP/GPG).

(b) you could possibly tell squid to be the other side, so that the
encryption channel exists between you and squid, and that squid
creates a new encrypted tunnel to the actual server. this is a
horrible scenario, as presumably the client will not know about
encryption failures between squid and the real server.

(c) if (b) is in effect, then the only certificate you'll ever see if
that of squid's HTTPS caching, which means that the client (you) can
never ensure that s/he is connected to the right system. this is
opening up the doors for IP spoofing and connection hijacking...

(d) SSL encrypted traffic is mostly dynamic, meaning it can't be
cached anyway.

does this make sense?

-- 
martin;              (greetings from the heart of the sun.)
  \____ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck
  
if you don't understand or are scared by any of
the above ask your parents or an adult to help you.

Attachment: pgpxXcckfTIUQ.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Re: Squid in a school - problems with https
  - From: Phillip Deackes <gsmh@gmx.co.uk>

References:
- Squid in a school - problems with https
  - From: Phillip Deackes <gsmh@gmx.co.uk>

Prev by Date: ATI Rage 128 frambuffer questiosn
Next by Date: Re: Network card problem
Previous by thread: Re: Squid in a school - problems with https
Next by thread: Re: Squid in a school - problems with https
Index(es):
- Date
- Thread