Re: [squid-users] Would it be possible to run a http to https gateway using squid?

2016-05-16 Thread Amos Jeffries 
On 16/05/2016 12:53 p.m., Eliezer Croitoru wrote:
> Hey Amos,
> 
> You are right that it seems like there is no point since you already
> decrypt the connection.
> But in the real world the price of maintaining an encrypted session for
> many users for a long period is not the same as maintaining them for
> short burst.

Yes, the short connections have higher cost on almost all metrics.

The maintenance cost of either TCP or TLS connectison is a fixed
per-packet cost in both memory holding connection state and CPU cycles
handling the packet. The number of handshakes and open/close cycles adds
a burst of extra cost.


> 
> Since all YouTube traffic is done on HTTPS it would be pretty simple
> with these days tools to use some kind of a "https to http bridge"
> software that would
> fetch the pages for the clients(most of the pages are tiny) and it will
> help the clients to be able to handle less secured traffic.
> 

YT is secured as an attempt to protect privacy. You are ignoring the
most annoying part of the privacy equation.

For any piece of privacy critical information A, there is another piece
of metadata information B = uses(A) which can be correlated and thus
needs to be treated as equivalent in privacy to A itself.
 And of course that makes the start of a slippery slope in the
definition of privacy: B is private so it has its own C = uses(B), etc, etc.

So for example; given a YouTube video of some baby saying their first word:
 * That video as private,
 * meaning where its stored is private,
 * meaning who accessed that URL is private,
 * meaning pages containing the URL is private,
 * meaning who accesses YT pages is private,
 * meaning who tries to contact YT is private,
 * ... and is gets more paranoid from there.

There is a similar chain from other details about the video; the timing
of the video creation, who posted it, what type it is, how long it is,
file size, etc. It is all metadata and enough of that can be correlated.

In a world like ours where mass surveillance exists if those minor
details are not all 100% secured then privacy is lost.




> I know that with these days hardware it's almost not needed but inside a
> trusted network there is no point for using end to end HTTPS.(to my
> understanding)
> Some will might not believe that there are trusted networks in the wild
> but I know that these do exist and in many of these such a GW is required.

The Internet is not qualifying as a trusted network.

If you are talking about inbound connections from Internet / WAN into a
trusted network. That is the definition of a CDN / reverse-proxy and
"https_port 443 accel" has been doing that securely and very well since
Squid-2.6.


Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Would it be possible to run a http to https gateway using squid?

2016-05-15 Thread Eliezer Croitoru 

Hey Amos,

You are right that it seems like there is no point since you already 
decrypt the connection.
But in the real world the price of maintaining an encrypted session for 
many users for a long period is not the same as maintaining them for 
short burst.


Since all YouTube traffic is done on HTTPS it would be pretty simple 
with these days tools to use some kind of a "https to http bridge" 
software that would
fetch the pages for the clients(most of the pages are tiny) and it will 
help the clients to be able to handle less secured traffic.


I know that with these days hardware it's almost not needed but inside a 
trusted network there is no point for using end to end HTTPS.(to my 
understanding)
Some will might not believe that there are trusted networks in the wild 
but I know that these do exist and in many of these such a GW is required.


Eliezer

On 11/05/2016 08:40, Amos Jeffries wrote:

On 11/05/2016 9:25 a.m., Eliezer Croitoru wrote:

I was wondering to myself, If I can generate certificates and bump the
connection, I can use a 302\308 to redirect all traffic from https to a
http(intercepatble) connection.

Then on the http interceptor rewrite the request into https.

What would be the point? You already had to decrypt to do the bump and
redirect.


I have a working setup which uses a redirection "attack" to authenticate
users over http+https.

Now the issue is that if all browsers will deny a redirection from https to
http(a downgrading attack) then the http world would look a bit weird.


Not that weird. It is called HTTP Strict Transport Security (HSTS).



And as an addition I have seen that Microsoft use and "FTP" like transfer
protocol in their software.

They have a "secured" control channel which has certificates pinning or
something else as a safe guard,
and in more then one case they use another channel to fetch the request over
plain HTTP( when a proxy is defined).


You will note that this is a very cache friendly way to do crypto. The
bulky part of the content is cacheable by anyone who needs to reduce
bandwith, but remains securely verifiable and integrity checked using
the off-band details.

However, it is not what you are talking about for your tool. The above
method by MS requires intentional design in the web service with
integrity checking actually performed by the endpoints.

  Under downgrade attack conditions the endpoints would not know that the
extra work was needed so one cannot assume that it is getting done. One
of the reasons browsers are so into TLS is that the transport layer does
all the verification and leaves them able to skip perceived slow
security checks at higher levels.


Would it be reasonable to write and publish such a tool? Or is it a security
risk to publish such a tool to the public?


Up to you. AIUI is illegal in most of the world to make use of it. Like
most hacking tools if used other than for permitted penetration testing
and research purposes.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Would it be possible to run a http to https gateway using squid?

2016-05-10 Thread Amos Jeffries 
On 11/05/2016 9:25 a.m., Eliezer Croitoru wrote:
> I was wondering to myself, If I can generate certificates and bump the
> connection, I can use a 302\308 to redirect all traffic from https to a
> http(intercepatble) connection.
> 
> Then on the http interceptor rewrite the request into https.

What would be the point? You already had to decrypt to do the bump and
redirect.

> 
> I have a working setup which uses a redirection "attack" to authenticate
> users over http+https.
> 
> Now the issue is that if all browsers will deny a redirection from https to
> http(a downgrading attack) then the http world would look a bit weird.
> 

Not that weird. It is called HTTP Strict Transport Security (HSTS).


> 
> And as an addition I have seen that Microsoft use and "FTP" like transfer
> protocol in their software.
> 
> They have a "secured" control channel which has certificates pinning or
> something else as a safe guard,
> and in more then one case they use another channel to fetch the request over
> plain HTTP( when a proxy is defined).
> 

You will note that this is a very cache friendly way to do crypto. The
bulky part of the content is cacheable by anyone who needs to reduce
bandwith, but remains securely verifiable and integrity checked using
the off-band details.

However, it is not what you are talking about for your tool. The above
method by MS requires intentional design in the web service with
integrity checking actually performed by the endpoints.

 Under downgrade attack conditions the endpoints would not know that the
extra work was needed so one cannot assume that it is getting done. One
of the reasons browsers are so into TLS is that the transport layer does
all the verification and leaves them able to skip perceived slow
security checks at higher levels.

> 
> Would it be reasonable to write and publish such a tool? Or is it a security
> risk to publish such a tool to the public?
> 

Up to you. AIUI is illegal in most of the world to make use of it. Like
most hacking tools if used other than for permitted penetration testing
and research purposes.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Would it be possible to run a http to https gateway using squid?

2016-05-10 Thread Eliezer Croitoru 
I was wondering to myself, If I can generate certificates and bump the
connection, I can use a 302\308 to redirect all traffic from https to a
http(intercepatble) connection.

Then on the http interceptor rewrite the request into https.

I have a working setup which uses a redirection "attack" to authenticate
users over http+https.

Now the issue is that if all browsers will deny a redirection from https to
http(a downgrading attack) then the http world would look a bit weird.


I was thinking about such a downgrade attack on couple sites but I am unsure
how good it will be.

I have seen couple years ago that some ISPs used a redirection attack when
youtube used plain http, this was in order to allow a "pre-fetch" of a tiny
GET request.

Now since many others up-graded their security it's another story.

 

And as an addition I have seen that Microsoft use and "FTP" like transfer
protocol in their software.

They have a "secured" control channel which has certificates pinning or
something else as a safe guard,
and in more then one case they use another channel to fetch the request over
plain HTTP( when a proxy is defined).

 

Would it be reasonable to write and publish such a tool? Or is it a security
risk to publish such a tool to the public?

 

Eliezer

 



Eliezer Croitoru  
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il



 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users