Re: filtering HTTPS

From: Tsantilas Christos <chtsanti_at_users.sourceforge.net>
Date: Wed, 14 Mar 2012 11:01:46 +0200

On 03/13/2012 05:12 PM, Marcus Kool wrote:
>
>
> Henrik Nordström wrote:
>> And if both sides is monitored for traffic then detection do not need
>> to rely on timeout. If any message is seen from server or if something
>> that do not look like ssl hello is seen from client then enter tunnel
>> mode.
>>
>> There is one but still, non-http protocols over ssl/tls, not just
>> CONNECT but actual ssl/tls. Those need ssl/tls tunnel mode where
>> application protocol is tunneled between client and server ssl
>> connection. And maybe a dynamic ssl-bump blacklist.
>
> Where does the filtering gets involved? Also NoneSSL sites (aka
> tunnelmode) need to be filtered/blocked and/or scanned for virusses.

Is it good idea to try filtering any(?) protocol (eg skype, streaming
servers etc) using HTTP proxies and the ICAP protocol implemented to
filter HTTP content?

>
>> A sslbump whitelist is probably desired as well, skipping ssl/tls
>> verification if it's already known the server is an https server.
>
> A whitelist has a security issue: www.mybank.com can be safe today and
> hacked tomorrow.

I agree with Henrik here. The whitelist is a list saying that the
sslbump can not be used for some sites.

> Skipping certificate verification is unsafe. One should be extremely
> careful on skipping it.
> A certificate cache seems better: one caches the certificates of
> www.mybank.com and on the next CONNECT (the SSL handshake has to be done
> anyway), and Squid can bypass the certificate checking rules if the sent
> certificates were used in previous CONNECTs.

This is a security issue. The server certificate may change for many
reasons, eg considered unsafe because of a bad private/public key. You
should always check server certificate.

> And maybe also a CONNECT cache: so that Squid remembers to go into
> tunnelmode directly without trying to do a SSL handshake for every Skype
> connection.
>
Received on Wed Mar 14 2012 - 09:02:06 MDT

This archive was generated by hypermail 2.2.0 : Wed Mar 14 2012 - 12:00:07 MDT