Re: Redirect HTTPS with Squid3+Squidguard

To: debian-user@lists.debian.org
Subject: Re: Redirect HTTPS with Squid3+Squidguard
From: Sven Hartge <sven@svenhartge.de>
Date: Thu, 26 Mar 2015 12:58:19 +0100
Message-id: <[🔎] 11bg3gmtrodv8@mids.svenhartge.de>
References: <[🔎] 550F1FB8.1030309@abwesend.de> <[🔎] jbfpujsrodv8@mids.svenhartge.de> <[🔎] 20150322161031459610300.NoCcsPlease@bob.proulx.com> <[🔎] kbfqc92rodv8@mids.svenhartge.de> <[🔎] trinity-16611559-8bb9-4e79-9f61-9b027df65c5b-1427099581524@3capp-gmx-bs01> <[🔎] slrnmgvmdm.5bu.liam.p.otoole@dipsy.tubbynet> <[🔎] lbfrnnsrodv8@mids.svenhartge.de> <[🔎] 55109358.7080509@abwesend.de> <[🔎] mbfu3k3rodv8@mids.svenhartge.de> <[🔎] 20150324153518514183009.NoCcsPlease@bob.proulx.com> <[🔎] 5513EE85.5060908@abwesend.de>

Michael I. <linux-michael-i@abwesend.de> wrote:

> But I have a new problem, I want to have a transparent proxy for http 
> this works fine but when I add the iptables rule for https the loading 
> won't work.

Of course not. That this is not working is the _whole point_ of any
end-to-end encrypted connection.

What you are effectivly trying to do is an Man-in-the-Middle "attack".

You cannot transparently proxy *any* encrypted connection without major
trickery, like I wrote in my first mail. You would need a fake CA
certificate (why this is a _very_ bad idea you just have to look at the
latest CNNIC and MSC debacle: (sorry, German URL)
<https://www.psw-group.de/blog/cnnic-signiert-falsche-google-zertifikate/2112>
or
<http://www.heise.de/security/meldung/Google-deckt-erneut-Missbrauch-im-SSL-Zertifizierungssystem-auf-2583414.html>), and have your proxy terminate the end-to-end encryption by issuing a fake certificate on the fly, so that the client is satisfied and then create another new encrypted connection to the intended end-point.

There _are_ security appliances out there which work in that way but
they are considered _very_ *very* bad practice and should be avoided at
all costs.

Grüße,
Sven.

-- 
Sigmentation fault. Core dumped.

Reply to:

Follow-Ups:
- Re: Redirect HTTPS with Squid3+Squidguard
  - From: Peter Viskup <skupko.sk@gmail.com>
- Re: Redirect HTTPS with Squid3+Squidguard
  - From: "Michael I." <linux-michael-i@abwesend.de>

References:
- Redirect HTTPS with Squid3+Squidguard
  - From: "Michael I." <linux-michael-i@abwesend.de>
- Re: Redirect HTTPS with Squid3+Squidguard
  - From: Sven Hartge <sven@svenhartge.de>
- Re: Redirect HTTPS with Squid3+Squidguard
  - From: Bob Proulx <bob@proulx.com>
- Re: Redirect HTTPS with Squid3+Squidguard
  - From: Sven Hartge <sven@svenhartge.de>
- Re: Redirect HTTPS with Squid3+Squidguard
  - From: linux-michael-i@abwesend.de
- Re: Redirect HTTPS with Squid3+Squidguard
  - From: Liam O'Toole <liam.p.otoole@gmail.com>
- Re: Redirect HTTPS with Squid3+Squidguard
  - From: Sven Hartge <sven@svenhartge.de>
- Re: Redirect HTTPS with Squid3+Squidguard
  - From: "Michael I." <linux-michael-i@abwesend.de>
- Re: Redirect HTTPS with Squid3+Squidguard
  - From: Sven Hartge <sven@svenhartge.de>
- Re: Redirect HTTPS with Squid3+Squidguard
  - From: Bob Proulx <bob@proulx.com>
- Re: Redirect HTTPS with Squid3+Squidguard
  - From: "Michael I." <linux-michael-i@abwesend.de>

Prev by Date: Re: Redirect HTTPS with Squid3+Squidguard
Next by Date: Re: Redirect HTTPS with Squid3+Squidguard
Previous by thread: Re: Redirect HTTPS with Squid3+Squidguard
Next by thread: Re: Redirect HTTPS with Squid3+Squidguard
Index(es):
- Date
- Thread