Re: SSL- Squid - proxy!

From: Merton Campbell Crockett <mcc@dont-contact.us>
Date: Wed, 1 Nov 2000 13:42:06 -0800 (PST)

Based on the original note and Paul's interpretation, I believe this is
what is wanted.

        Remote
        Client --- (encrypted) --- Proxy --- (clear) --- Server

The Server running Apache, IIS, or whatever performs no encryption. Only
the connections between a Remote Client and the Proxy are encrypted. The
local campus connections are all done in the clear.

My original concept in 1998 was to Squid but the idea was quickly dropped
in favour of using Stronghold (Apache) and creating a virtual host for the
internal Server. Both the virtual host and the internal Server have the
same domain name and differ only in the IP addresss allowing a "road
warrior" to use the same bookmarks while on the road as he does while on
campus.

Neither Netscape Proxy Server or Microsoft Proxy Server could provide this
functionality and security the last time I looked in mid 1999. I went to
a security conference in 1999 with a customer and got dragged into a
sidebar with Microsoft. Microsoft was more than a little curious about
how I accomplished this "trick". It wouldn't surprise me to find that
they've made another major release of their software after adding the
enhancements needed for the above.

Merton Campbell Crockett

On Wed, 1 Nov 2000, Paul Boyer wrote:

> The way I understand the initial question was to proxy SSL WITH
> BROWSER KNOWLEDGE.
> this would be of great help for example in accelerator mode :
>
> client --- ssl ---> Squid --- http ---> server
>
> 1- The web server would not have to handle the encryption task: gain
> of performance and possibility to use an existing web server without
> good ssl support
> 2- The traffic could be monitored for hostile activity by an intrusion
> detection tool (lets say snort) on the hub between the squid and the
> Web server
>
> I agree with you, that kind of tool would also be usefull for some bad
> guys willing to set-up a man-in-the-middle attack.
>
> Anyway, Macrosoft "proxy server" can do it, since several years.
>
> Paul Boyer
>
> Henrik Nordstrom wrote:
> >
> > senthilvasan wrote:
> > >
> > > I realise that squid can only tunel SSL. Do you know any other SSL proxy
> > > that works like a real proxy, (decrypts and encrypts in the proxy level)? If
> > > I find such a proxy, all my problems will be solved..
> >
> > As I said that you CANNOT DO THAT unless you first cracking the SSL
> > encryption. The browser will reject the SSL connection if thouched by
> > any host now knowing the private encryption key of the server.
> >
> > It is not a matter of Squid. It is a matter of how SSL works.

--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
Received on Wed Nov 01 2000 - 14:45:41 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:56:13 MST