Re: [squid-users] transperate proxy with https

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 15 Sep 2009 14:52:37 +1200

On Mon, 14 Sep 2009 21:27:15 -0500 (CDT), Al - Image Hosting Services
<azick_at_zickswebventures.com> wrote:
> Hi,
>
> I ran into basically the same issue with https. If https requests are
just
> rerouted to squid then it doesn't work. It looks like the browser sends
> the request encrypted when just routed to the proxy and it looks like it
> sends the request plain text when you have the browser configured to use
> the proxy. Can someone confirm this? And if this is the case, is there a
> way to use a transparent proxy with https?

Correct. The 'S' in HTTPS is for 'Secure' or 'SSL' (same meaning). It was
designed specifically to prevent interception attacks on HTTP traffic. One
guess what transparent proxy does?

To perform HTTPS interception you require software to do the interception
(Squid + NAT). Install a SSL certificate in the Squid to name it the
authoritative web server for every domain on the planet. Install another
SSL certificate in the web browser of every visitor to let the clients web
browser believe the false certificate you installed in the Squid. ...or
trust that all your clients/visitors will simply click okay/accept at the
security attack warning they get faced with.

Done. You are now committing a felony crime in most countries. But never
mind that.

Amos
Received on Tue Sep 15 2009 - 02:52:42 MDT

This archive was generated by hypermail 2.2.0 : Tue Sep 15 2009 - 12:00:02 MDT