Re: [squid-users] Certificate transparency: problem for ssl-bumping, no effect, or?
On 14/04/18 10:03, Alex Crow wrote: > >> Unless the protocol design changes to expose full URLs and/or MIME types, >> nothing will replace Squid Bumping. >> >> That being said, we are headed to the vortex by 2018.05.01. Let's drown >> together, while we yell and curse at Google! >> >> MK >> >> >> > > Erm, can someone elucidate the issue here? Can't see anything about this > in the last year of mails from this list ;-) > MK1018 is re-opening an old discussion from 2016. The discussion started when TLS/1.3 and AES encrypted payloads were still draft-only documents in IETF working groups. So of course the environment and what can or cannot be done is quite different now. This just goes to show how much TLS and HTTPS environments are changing and why our advice to always use the lastest release of Squid when SSL-Bumping are so important. Anything even a year old discussing the topic is outdated and possibly irrelevant. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Certificate transparency: problem for ssl-bumping, no effect, or?
On 04/13/2018 02:41 PM, MK2018 wrote: > Alex Rousskov wrote >> Believe it or not, there are still many Squid use cases where bumping is >> unnecessary. This includes, but is not limited to, HTTPS proxying cases >> with peek/splice/terminate rules and environments where Squid possesses >> the certificate issued by CAs trusted by clients. There are also IETF >> attempts to standardize transmission of encrypted but proxy-cachable >> content. >> >> I agree that Squid user base will shrink if nobody can bump 3rd party >> traffic, but that reduction alone will not kill Squid. > I would definitely disagree. With what? Nothing you said afterwards contradicts what I said above. Alex. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Certificate transparency: problem for ssl-bumping, no effect, or?
MK2018 wrote > Alex Crow-2 wrote >>> Unless the protocol design changes to expose full URLs and/or MIME >>> types, >>> nothing will replace Squid Bumping. >>> >>> That being said, we are headed to the vortex by 2018.05.01. Let's drown >>> together, while we yell and curse at Google! >>> >>> MK >>> >>> >>> >> >> Erm, can someone elucidate the issue here? Can't see anything about this >> in the last year of mails from this list ;-) >> >> Alex >> >> - > > > :D :D Sure thing, here it is: > https://aws.amazon.com/blogs/security/how-to-get-ready-for-certificate-transparency/ > > I had to know from AWS, otherwise I would have been terrorized on May 1st > all the sudden, just like how Google does it each time. > > Chrome is most probably going to spit fire at all non-CT-Logged CA > certificate. Naturally, 99% of Squid-Bumping feature users use self-signed > certs > (or otherwise own all real CAs in the world and still violate CA rules), > so > they will end up getting into war with all Chrome users (which is > basically like 80% of users). > > Hope that clears it up! I might have overlooked this: "Certificates issued from locally-trusted or enterprise CAs that are added by users or administrators are not subject to this requirement." https://groups.google.com/a/chromium.org/forum/#!topic/ct-policy/wHILiYf31DE Think there is still hope? -- Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Certificate transparency: problem for ssl-bumping, no effect, or?
Alex Crow-2 wrote >> Unless the protocol design changes to expose full URLs and/or MIME types, >> nothing will replace Squid Bumping. >> >> That being said, we are headed to the vortex by 2018.05.01. Let's drown >> together, while we yell and curse at Google! >> >> MK >> >> >> > > Erm, can someone elucidate the issue here? Can't see anything about this > in the last year of mails from this list ;-) > > Alex > > - :D :D Sure thing, here it is: https://aws.amazon.com/blogs/security/how-to-get-ready-for-certificate-transparency/ I had to know from AWS, otherwise I would have been terrorized on May 1st all the sudden, just like how Google does each time. Chrome is most probably going to spit fire at all non-CT-Logged CA certificate. Naturally, 99% of Squid-Bumping feature use self-signed certs (or otherwise own all real CAs in the world and still violate CA rules), so they will end up getting into war with all Chrome users. Hope that clears it up! -- Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Certificate transparency: problem for ssl-bumping, no effect, or?
Unless the protocol design changes to expose full URLs and/or MIME types, nothing will replace Squid Bumping. That being said, we are headed to the vortex by 2018.05.01. Let's drown together, while we yell and curse at Google! MK Erm, can someone elucidate the issue here? Can't see anything about this in the last year of mails from this list ;-) Alex -- This message is intended only for the addressee and may contain confidential information. Unless you are that person, you may not disclose its contents or use it in any way and are requested to delete the message along with any attachments and notify us immediately. This email is not intended to, nor should it be taken to, constitute advice. The information provided is correct to our knowledge & belief and must not be used as a substitute for obtaining tax, regulatory, investment, legal or any other appropriate advice. "Transact" is operated by Integrated Financial Arrangements Ltd. 29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608 5300. (Registered office: as above; Registered in England and Wales under number: 3727592). Authorised and regulated by the Financial Conduct Authority (entered on the Financial Services Register; no. 190856). ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Certificate transparency: problem for ssl-bumping, no effect, or?
Hello :) Alex Rousskov wrote > Believe it or not, there are still many Squid use cases where bumping is > unnecessary. This includes, but is not limited to, HTTPS proxying cases > with peek/splice/terminate rules and environments where Squid possesses > the certificate issued by CAs trusted by clients. There are also IETF > attempts to standardize transmission of encrypted but proxy-cachable > content. > > I agree that Squid user base will shrink if nobody can bump 3rd party > traffic, but that reduction alone will not kill Squid. > > Alex. I would definitely disagree. Rich countries citizens always forget the fact that high quality corporate leased lines and dedicated bandwidth *do* cost so much that letting users *hide* their unwanted traffic behind the *4th amendment* HTTPS is unaffordable. Naturally, HTTPS standards were designed to hide traffic. I don't mind users hiding traffic content, let users burn in hell with it, let them rejoice with Dante! What I do mind is hiding full URLs and/or MIME types. Give me any low cost solution that would reliably expose those and hide anything else you want. Otherwise, it is useless to start a business first place! I mean, even with appliances like those from Sophos or others that claim to have full control over traffic, it still remains an ugly guess work combined with an admin nightmare who then must block each and every category of unwanted traffic! Unless the protocol design changes to expose full URLs and/or MIME types, nothing will replace Squid Bumping. That being said, we are headed to the vortex by 2018.05.01. Let's drown together, while we yell and curse at Google! MK -- Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Certificate transparency: problem for ssl-bumping, no effect, or?
Yuri Voinov wrote: Hope at this. It is difficult to make long-term plans if the software has to die soon. :) --- ..And if SW doesn't die "soon", but only a little later? I.e. with google's AI designing new encryption algorithms today (nothing said about quality), how long before they can have an AI replacing most of us? Even now PC's seem to be "short-timers" as mass-users are migrated to hand-held, consume-only platforms, and PC's evolve into tomorrows unaffordable mini-compute-cloud servers. PC's have always been too dangerous to allow in everyone's home unless they are locked down and become "content platforms" to play content similar to how game consoles are now. It seems it will be hard just to afford an X84-64 compat CPU with those getting more & more cores (and more expensive) and consumers being shunted over to the more affordable and the comparatively, celeron-classed, Atom CPUs. A year goes by quickly enough these days, to at least get an advanced "head-up" on such new "standards"... ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Certificate transparency: problem for ssl-bumping, no effect, or?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 02.11.2016 2:58, Alex Rousskov пишет: > On 11/01/2016 02:47 PM, Yuri Voinov wrote: > >> if the SSL bump will be impossible to do - >> whether it should be understood that in such a situation you close the >> project Squid as unnecessary? :) Seriously, why does it then need to be >> in a world without HTTP? > > Believe it or not, there are still many Squid use cases where bumping is "Wow, Plop-Plop, what a terrible story" ;) > > unnecessary. This includes, but is not limited to, HTTPS proxying cases > with peek/splice/terminate rules and environments where Squid possesses Sure, I know. I meet this every day exactly. This is no problem still remains relatively low percent. > > the certificate issued by CAs trusted by clients. There are also IETF > attempts to standardize transmission of encrypted but proxy-cachable > content. Hope they not completely headless. > > > I agree that Squid user base will shrink if nobody can bump 3rd party > traffic, but that reduction alone will not kill Squid. Hope at this. It is difficult to make long-term plans if the software has to die soon. :) > > > Alex. - -- Cats - delicious. You just do not know how to cook them. -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJYGQMgAAoJENNXIZxhPexGocQIAMU0g7zH7B7gMwgatt2PdA27 Jx+Frqnh+V8fYDEtLYwWRwSO5EmtCIG2Zx90LYiljN6mxvKd7hCBseJczf7nTsh4 bLumPaX6VWOLrPBGDRuWvqXfn6xFDX3uBLqyTWQUnNX6GuiuqkGQ2JvXctbNQA1A NV0VYM5Dg/p/JZDKqQdB41ip7IEm+mWp7xcd7S377or0vNkiVS4oZWj0goYZGER5 yuWg9K2TA5HbLhjBou+G6VXPCLx5LDTCAl9gxTLm/qc/v/6cO1Wi6LxhAI7YOBuR c/r5Rqj+bsbWqxD3ma9Pdg2m+WR8Z15mSTRm+jFYlsjae9b8ApggDXaabLWuL4I= =kuNU -END PGP SIGNATURE- 0x613DEC46.asc Description: application/pgp-keys ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Certificate transparency: problem for ssl-bumping, no effect, or?
On 11/01/2016 02:47 PM, Yuri Voinov wrote: > if the SSL bump will be impossible to do - > whether it should be understood that in such a situation you close the > project Squid as unnecessary? :) Seriously, why does it then need to be > in a world without HTTP? Believe it or not, there are still many Squid use cases where bumping is unnecessary. This includes, but is not limited to, HTTPS proxying cases with peek/splice/terminate rules and environments where Squid possesses the certificate issued by CAs trusted by clients. There are also IETF attempts to standardize transmission of encrypted but proxy-cachable content. I agree that Squid user base will shrink if nobody can bump 3rd party traffic, but that reduction alone will not kill Squid. Alex. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Certificate transparency: problem for ssl-bumping, no effect, or?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 02.11.2016 2:03, Alex Rousskov пишет: > On 10/31/2016 04:13 PM, L. A. Walsh wrote: >> Google is pushing this for all websites by October 2017 > > Just Extended Validation (EV) sites, to be exact AFAICT. All other sites > will be forced into the new scheme sometime later. Naturally, this may > result in requests to downgrade mimicked server certificates to remove > the EV extension (assuming we mimic it today). > > >>https://www.certificate-transparency.org/what-is-ct >> >> Seems to indicate that site-local generated and imported >> certs may also be detected as invalid and be disallowed for >> SSL connection approvals. That would be a major pain > > The question is whether the affected browsers will have knobs to disable > CT checks or perhaps to configure custom Certificate Log addresses. If > everything is hard-coded, then bumping is doomed. Otherwise, expect more Alex, you can at this point a little more? Since all Internet smoothly passes under HTTPS, and if the SSL bump will be impossible to do - whether it should be understood that in such a situation you close the project Squid as unnecessary? :) Seriously, why does it then need to be in a world without HTTP? > > sysadmin pains. You can probably answer that question now by studying System administrators should always suffer. :) You'd think they now have a little pain with the installation of the proxy certificates to mobile devices. :) By the way, these crutches in HTTPS have no sense if they can be in some way disabled. It is my deep personal conviction. :) > > Chrome configuration. > > Alex. > > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users - -- Cats - delicious. You just do not know how to cook them. -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJYGP9sAAoJENNXIZxhPexGPtgH/im0L/lHtPDcV3vXp8a+OSYn dQYtfz/gcEBZR4IcWLq7DWg6feJ62ksZwq+ukqnYS9toOMTHzm20ihztqmyCqVa8 qvLPN+9Y/TO9bapt/ed9dqlO1O/N0gMSH8tsJQ/JSjncIfIORPeKQZ7XUYP7wPfA pdGYZKAPNfyGidQblfWTFvDeOhcuoHj8YdUQ8cjtD6wj+A7p5zpuCydasY+VFJhk lFjsxpRYUfu2IbQIaSj2uUgShVVaff7oDG1xIUEpfK0JLTlNBoC4hWl62saTNiqM 7AwGL8OXgP8FeOaY3raDTV9zG7G5BnINTdxoMLFsKoopbPA58GdZVpq3sBeKGAI= =v2JO -END PGP SIGNATURE- 0x613DEC46.asc Description: application/pgp-keys ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Certificate transparency: problem for ssl-bumping, no effect, or?
On 10/31/2016 04:13 PM, L. A. Walsh wrote: > Google is pushing this for all websites by October 2017 Just Extended Validation (EV) sites, to be exact AFAICT. All other sites will be forced into the new scheme sometime later. Naturally, this may result in requests to downgrade mimicked server certificates to remove the EV extension (assuming we mimic it today). >https://www.certificate-transparency.org/what-is-ct > > Seems to indicate that site-local generated and imported > certs may also be detected as invalid and be disallowed for > SSL connection approvals. That would be a major pain The question is whether the affected browsers will have knobs to disable CT checks or perhaps to configure custom Certificate Log addresses. If everything is hard-coded, then bumping is doomed. Otherwise, expect more sysadmin pains. You can probably answer that question now by studying Chrome configuration. Alex. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Certificate transparency: problem for ssl-bumping, no effect, or?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Google and so is not too conducive to caching the end user. One problem anymore - one less, what's the difference? When we begin to beat - start to cry. In general, the year in IT - eternity. During this time, everything can happen. So relax, cousin. Nothing else happened. ;) PS. A magic bullets - does not exist. You have forgotten that some governments are willing to carry out globally SSL Bump over its citizens. This is a separate issue for everyone, not just for these citizens. So quietly celebrate Halloween and do not ride the wave :) 01.11.2016 4:41, Yuri Voinov пишет: > > When the future comes - then we will worry. What wonder, then? > > October 2017 is not tomorrow. > > > 01.11.2016 4:13, L. A. Walsh пишет: > > Google is pushing this for all websites by October 2017 > > > One issue to be "caught" are subordinated CA certs that can > > allow one vector for generating certs accepted by browsers w/o > > importing any new certs. > > > Some of the info on the cert page: > > >https://www.certificate-transparency.org/what-is-ct > > > Seems to indicate that site-local generated and imported > > certs may also be detected as invalid and be disallowed for > > SSL connection approvals. That would be a major pain given > > google's actions that seem to be hostile to end-user (or > > end-site) web-caching. > > (saw this on > http://www.theregister.co.uk/2016/10/31/google_certificate_transparency/ > > ). > > > ___ > > squid-users mailing list > > squid-users@lists.squid-cache.org > > http://lists.squid-cache.org/listinfo/squid-users > > - -- Cats - delicious. You just do not know how to cook them. -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJYF8ooAAoJENNXIZxhPexG+VAH/15vFPprneESrl94A2iOrHo4 2JoAy0Fqi7mJjuSjSNOhW3O2AutJkrPMDMTg8FEso999wI/HsuRCWqaMLpQU/7dv hzA3BwegOrELBXb5x5YPXP8FgMkN6Wytcy9nOkU6Hn/s3u3QP8zUqLWFbLGqnMoF PSJuCbNA3m8IOf7WP2nF3824KLM3AMkByQ2XszS7TnP4LxYIIYh+0mcJ7oSqaLxo oMCDCknfu0FcISl1MVxQQVIpVqxfNnzBxFrBVK2ZJ5mDgeyB0+dQjULpRO0IDGDL PRQeUAgyREEejfuJLpoE+ufwT9SkTyxm6WZUZiJgOEnueNdxc5wox0jJpOX+5bY= =zXZ1 -END PGP SIGNATURE- 0x613DEC46.asc Description: application/pgp-keys ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Certificate transparency: problem for ssl-bumping, no effect, or?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 When the future comes - then we will worry. What wonder, then? October 2017 is not tomorrow. 01.11.2016 4:13, L. A. Walsh пишет: > Google is pushing this for all websites by October 2017 > > One issue to be "caught" are subordinated CA certs that can > allow one vector for generating certs accepted by browsers w/o > importing any new certs. > > Some of the info on the cert page: > >https://www.certificate-transparency.org/what-is-ct > > Seems to indicate that site-local generated and imported > certs may also be detected as invalid and be disallowed for > SSL connection approvals. That would be a major pain given > google's actions that seem to be hostile to end-user (or > end-site) web-caching. > (saw this on http://www.theregister.co.uk/2016/10/31/google_certificate_transparency/ > ). > > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users - -- Cats - delicious. You just do not know how to cook them. -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJYF8ieAAoJENNXIZxhPexGVrMIAIXr9n92Ven5E7vmtgtxsRtq Knf2sv/qz1jyl6P836FjSSd+GJuKe0hNxUsuina/MiBlRcbH2hUTuEAJzdbLxebH 2qvN/RxulejKOQFLFaZvrOSBh3b809m+dBlEtIQ8IeWfWpCF02fddU+X7cT9o+8p hHZW2mgZLq2mJH8u2iIpPzv1uQx4uJdxg22by9YE2bYo2TOpN4b/6vnDEfF8Ggnt 1S2Z4nvak1d+GfX+b9Temlf7LSOuzeWW8gtgj4WPjNUMOnToRo+RGm0Z0by61x3z frDreEtHuTXVh5ppVIpQdP9VZDsIbTnYt9JmU6c0CigW11sQCU7Z3rQZPG1xp7o= =2BL1 -END PGP SIGNATURE- 0x613DEC46.asc Description: application/pgp-keys ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Certificate transparency: problem for ssl-bumping, no effect, or?
Google is pushing this for all websites by October 2017 One issue to be "caught" are subordinated CA certs that can allow one vector for generating certs accepted by browsers w/o importing any new certs. Some of the info on the cert page: https://www.certificate-transparency.org/what-is-ct Seems to indicate that site-local generated and imported certs may also be detected as invalid and be disallowed for SSL connection approvals. That would be a major pain given google's actions that seem to be hostile to end-user (or end-site) web-caching. (saw this on http://www.theregister.co.uk/2016/10/31/google_certificate_transparency/ ). ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users