Re: filtering HTTPS

From: Marcus Kool <marcus.kool_at_urlfilterdb.com>
Date: Wed, 14 Mar 2012 11:37:34 -0300

Tsantilas Christos wrote:
> On 03/13/2012 05:12 PM, Marcus Kool wrote:
>>
>> Henrik Nordström wrote:
>>> And if both sides is monitored for traffic then detection do not need
>>> to rely on timeout. If any message is seen from server or if something
>>> that do not look like ssl hello is seen from client then enter tunnel
>>> mode.
>>>
>>> There is one but still, non-http protocols over ssl/tls, not just
>>> CONNECT but actual ssl/tls. Those need ssl/tls tunnel mode where
>>> application protocol is tunneled between client and server ssl
>>> connection. And maybe a dynamic ssl-bump blacklist.
>> Where does the filtering gets involved? Also NoneSSL sites (aka
>> tunnelmode) need to be filtered/blocked and/or scanned for virusses.
>
> Is it good idea to try filtering any(?) protocol (eg skype, streaming
> servers etc) using HTTP proxies and the ICAP protocol implemented to
> filter HTTP content?

Yes. Skype is not just a simple chat. It does file transfers and
remote desktop viewing. There are lots of sites who block Skype and
allow ebuddy. Others only allow Yahoo IM and block all other chats.
It is not up to us to decide what can be blocked. That is up to the
administrator of Squid and the filters.

If Squid filters 95% but intentionally does not filter some type
of data, you will have in no time a new application that uses this
unfiltered type of data to build a tunnel circumventing all filters.

>>> A sslbump whitelist is probably desired as well, skipping ssl/tls
>>> verification if it's already known the server is an https server.
>> A whitelist has a security issue: www.mybank.com can be safe today and
>> hacked tomorrow.
>
> I agree with Henrik here. The whitelist is a list saying that the
> sslbump can not be used for some sites.

There was some confusion what is meant by 'whitelist'. An other thread
clarified this.
I agree with a cache for already verified endpoints but be careful:
OpenVPN uses a trick to divert HTTPS traffic to a webserver and
the other data streams are used for the VPN.

>> Skipping certificate verification is unsafe. One should be extremely
>> careful on skipping it.
>> A certificate cache seems better: one caches the certificates of
>> www.mybank.com and on the next CONNECT (the SSL handshake has to be done
>> anyway), and Squid can bypass the certificate checking rules if the sent
>> certificates were used in previous CONNECTs.
>
> This is a security issue. The server certificate may change for many
> reasons, eg considered unsafe because of a bad private/public key. You
> should always check server certificate.

One does not need to re-check if a new connection receives the same certificates.
I see for example thousands of CONNECTs in a short time to http://plus.google.com
One user for one webpage can have several CONNECTs.
I think it is safe to use a time-limited cache.

>> And maybe also a CONNECT cache: so that Squid remembers to go into
>> tunnelmode directly without trying to do a SSL handshake for every Skype
>> connection.
>>
>
>
>
>
Received on Wed Mar 14 2012 - 14:37:39 MDT

This archive was generated by hypermail 2.2.0 : Wed Mar 14 2012 - 12:00:07 MDT