Hi Jason,
> If you think the external acl method is too expensive to run, how do you
> expect to feed this NIDS data back into squid? I think you'd find you'd
> need an external acl check to do that bit anyway :-)
I should have been clearer - my use of the term feedback loop was
meant to imply th
On 08/01/15 18:41, Chris Bennett wrote:
> Interesting thread so far. Has anyone thought of using Bro-IDS as a
> feedback loop for some of this advanced logic for bypassing bumping?
The external acl method mentioned earlier probably out-does using some
NIDS feedback loop. In my testing it causes s
Interesting thread so far. Has anyone thought of using Bro-IDS as a
feedback loop for some of this advanced logic for bypassing bumping?
Bro performs passive reconnaissance, generates very useful logs for
any payloads it can decode, and is extendable.
e.g. ssl.log may contain something like this
On 06/01/15 05:28, Eliezer Croitoru wrote:
> In 3.5 there will be present a new feature which called peek and
> splice that can give an interface to squid and the admin which will
> allow the admin to know couple things about the connection from squid
> and specifically first the client TLS request
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Agreed.
I'm expert on shell, not Perl/Python. :)
But will try to make some useful with it.
05.01.2015 22:28, Eliezer Croitoru пишет:
> On 01/05/2015 05:18 PM, Yuri Voinov wrote:
> > We haven't filtering non_HTTP over port-443. Just recognize and
>
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 01/05/2015 05:18 PM, Yuri Voinov wrote:
> We haven't filtering non_HTTP over port-443. Just recognize and
> pass.
So let's separate security which is one of the goals of squid and
which some like and other don't.
For now squid 3.4 is stable and 3.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
We haven't filtering non_HTTP over port-443. Just recognize and pass.
05.01.2015 21:15, Marcus Kool пишет:
>
>
> On 01/05/2015 12:38 PM, Douglas Davenport wrote:
>> Marcus, not to distract from the very important main points being
discussed here but
On 01/05/2015 12:38 PM, Douglas Davenport wrote:
Marcus, not to distract from the very important main points being discussed
here but I have to question your last line:
"i.e. there is not yet an interface for this type of traffic inspection."
Is that not the whole point of Squid's ICAP interf
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Wait a minute, gents.
What about ICAP? What I skipped?
05.01.2015 20:38, Douglas Davenport пишет:
> Marcus, not to distract from the very important main points being discussed
> here but I have to
question your last line:
> "i.e. there is not yet
Marcus, not to distract from the very important main points being discussed
here but I have to question your last line:
"i.e. there is not yet an interface for this type of traffic inspection."
Is that not the whole point of Squid's ICAP interface and HTTPS bumping? Or
do you just mean that ufdbgu
On 01/05/2015 11:11 AM, Yuri Voinov wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
And also:
don't forget about bogus homebrew internet-bankings. Which is uses bogus
SSL-certs with bogus GOST realisations. And bogus Java-based clients. All of
them also uses 443 port. And often HTTPS
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
And also:
don't forget about bogus homebrew internet-bankings. Which is uses bogus
SSL-certs with bogus GOST realisations. And bogus Java-based clients.
All of them also uses 443 port. And often HTTPS with homebrew bogus
features.
We don't know, ho
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I think,
non-HTTP/HTTPS security issues is never ever Squid function.
Squid is not all-in-one-security-solution. It's only HTTP proxy.
For others security breches (i.e SSH tunnels, various browser
tunnel-related plugins, Tor etc., ) we have anothe
Much of the discussion so far has been about bumping traffic on port 443,
bumping SSL-encapsulated HTTP traffic and not bumping (allowing)
other traffic. Since port 443 is used for many protocols, it is in many
cases dangerous to allow non-bumpable traffic: SSH tunnels using port 443
are common,
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hey Yuri,
Indeed there are other *NIX systems and for each and every one of them
there is a solution in need.
SSL Pinned destinations cannot be identified automatically since the
are pinned inside a software and the certificate will not show
anything
>
> On 01/01/15 00:11, James Harper wrote:
> > The helper connects to the IP:port and tries to obtain the certificate, and
> then caches the result (in an sqlite database). If it can't do so within a
> fairly
> short time it returns failure (but keeps trying a bit longer and caches it for
> next
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Sounds good,
but server world is not end on Linux. ;)
Now exists another *NIX systems. And will exists further.
Also. I have an idea, gents.
Do we can easy and quickly detect SSL Pinned destinations? And remember
it, for example, in database?
In
On 05/01/15 15:44, Eliezer Croitoru wrote:
> A squid helper is nice but... a NFQUEUE helper that can verify if to
> FORWARD or BUMP the connection would be a better suited solution to my
> opinion.
Not sure if you're ignoring the ssl-peek work, but squid still needs to
be able to "peek" in order fo
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hey Thread(Jason,Yuri,Douglas...),
There are couple aspects about the ssl and connections in general and
as we talk about ssl port I first would like to put couple things on
the table.
* Squid is a http caching proxy and there for every feature which
Seems to me it would be more useful as an external ACL so that a decision
could be made based on other factors eg src or dstdomain whether to deny or
allow the un-bumpable connection.
On Sun, Jan 4, 2015 at 4:29 PM, Yuri Voinov wrote:
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> As I
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
As I can see, we have two major problems with SSL Bump now.
1. Stupid apps and it's stupid developers - like ICQ and other stupid IM
- which is hope 443 port is never be blocked due to using for
logons/internet banking etc.
This stupid way broke sta
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
To return to Earth:
I think, a good idea is built-in (ma be, in ssl_crtd?) functionality to
check 443 port connection for "Is an HTTPS inside?" and if no, do not
bump by default.
This is so simple and fast, is it? And we can have some config option
I saw a very similar feature in ufdbGuard which is a URL filter implemented
as a Squid Redirector. They have a feature which probes the destination
server for a valid HTTPS cert in parallel to the user's connection and
terminates it if it turns out not to be a valid HTTPS cert. Their code is
open s
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Term "HTTPS" often uses as "Any connect over 443 port"
03.01.2015 13:59, Jason Haar пишет:
> On 01/01/15 00:11, James Harper wrote:
>> The helper connects to the IP:port and tries to obtain the
certificate, and then caches the result (in an sqli
On 01/01/15 00:11, James Harper wrote:
> The helper connects to the IP:port and tries to obtain the certificate, and
> then caches the result (in an sqlite database). If it can't do so within a
> fairly short time it returns failure (but keeps trying a bit longer and
> caches it for next time).
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 2/01/2015 4:33 p.m., Amos Jeffries wrote:
>
> Yuri, regarding Squid packaged helpers...
>
Opps sorry that should have been directed at James or anyone wishing
to bundle his helper with Squid.
> Distribution of any code within the Squid package
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 2/01/2015 1:21 p.m., Eliezer Croitoru wrote:
> Hey Yuri,
>
> You would want to avoid sqlite as far as you can due to it's Whole
> DB file LOCK nature.
Indeed. My experience with SQLite has been that it is vastly slower
than other DB options even a
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hey Yuri,
You would want to avoid sqlite as far as you can due to it's Whole DB
file LOCK nature.
Eliezer
On 01/02/2015 12:17 AM, Yuri Voinov wrote:
> If helper cah learning in conjunction with SQLite DB - it solves
> one of our bump problems.
>
>
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
BTW,
gents.
Detecting non-HTTPS connections over 443 port is real problem.
This technique is used in some IM apps, cloud apps and other ways.
To catch them I need to review cache.log in realtime, snoop raw IP flow,
manually add URL regexp to non-
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hey James,
I would also appreciate any code that does what you have mentioned.
I can latter write a simple IP\IP_MASK based acl external_acl helper
that can help managing the bump\un-bumped live using some database.
Eliezer
On 12/31/2014 01:11 PM, J
SSL bump: Google drive application could not
connect
>
> Probably non-HTTPS protocol being used.
>
> As bumping gets more popular we are hearing about a number of services
> abusing port 443 for non-HTTPS protocols on the false assumption that
> the TLS layer goes all the
on Squid itself is no different in either position.
>
> The security balance is betweeen whether the rest of the machine
> access methods (including the ICAP servers security "footprint") are
> more/worse secure in either position vs the traffic costs mentioned above.
>
> N
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
James,
where I can take a look on your helper? I'm interested in this things,
as exists services uses 443 port but without HTTPS. I.e., ICQ, etc.
WBR, Yuri
-BEGIN PGP SIGNATURE-
Version: GnuPG v2
iQEcBAEBAgAGBQJUo+byAAoJENNXIZxhPexGQ9YH/2
>
> Probably non-HTTPS protocol being used.
>
> As bumping gets more popular we are hearing about a number of services
> abusing port 443 for non-HTTPS protocols on the false assumption that
> the TLS layer goes all the way to the origin server without
> inspection. That has never been a true ass
On Dec 30, 2014 7:04 PM, "Amos Jeffries" wrote:
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> On 31/12/2014 6:30 a.m., shawn wilson wrote:
> > On Dec 30, 2014 8:57 AM, "Amos Jeffries" wrote:
> >>
> >
> >>
> >> As bumping gets more popular we are hearing about a number of
> >> services ab
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 31/12/2014 6:30 a.m., shawn wilson wrote:
> On Dec 30, 2014 8:57 AM, "Amos Jeffries" wrote:
>>
>
>>
>> As bumping gets more popular we are hearing about a number of
>> services abusing port 443 for non-HTTPS protocols on the false
>> assumption t
hurin; squid-users@lists.squid-cache.org
> *Subject:* Re: [squid-users] Squid 3 SSL bump: Google drive
application could not connect
>
>
>
>
> WCCP only, of course. To reduce Cisco CPU usage.
>
> Also, iOS version 15.4 with SECURITYK9 techno pack activated.
>
> 31.12.20
Perfect thanks a lot!!!
Raf :)
From: Yuri Voinov [mailto:yvoi...@gmail.com]
Sent: Tuesday, December 30, 2014 9:23 PM
To: Rafael Akchurin; squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Squid 3 SSL bump: Google drive application could not
connect
-BEGIN PGP SIGNED MESSAGE
s the traffic from your clients? (explicit
proxy or cisco WCCP?)
>
>
>
> raf
>
> *From:*Yuri Voinov [mailto:yvoi...@gmail.com]
> *Sent:* Tuesday, December 30, 2014 9:16 PM
> *To:* Rafael Akchurin; squid-users@lists.squid-cache.org
> *Subject:* Re: [squid-users] Squid 3
esday, December 30, 2014 8:48 PM
> *To:* Rafael Akchurin; squid-users@lists.squid-cache.org
> *Subject:* Re: [squid-users] Squid 3 SSL bump: Google drive
application could not connect
>
>
>
>
> Already found this lonely right post ;) I have Google-Fu too :) And it
longer than yo
-users] Squid 3 SSL bump: Google drive application could not
connect
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
To finalize a solution,
see the our favorite:
http://www.squid-cache.org/mail-archive/squid-users/201406/0369.html
Why use iptables, ipfilter,Cisco, etc?!
Only Squid, only hardcore
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
To finalize a solution,
see the our favorite:
http://www.squid-cache.org/mail-archive/squid-users/201406/0369.html
Why use iptables, ipfilter,Cisco, etc?!
Only Squid, only hardcore!
Revert cisco config back:
R2911(config)#no access-list 121
R29
-users@lists.squid-cache.org
Subject: Re: [squid-users] Squid 3 SSL bump: Google drive application could not
connect
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Already found this lonely right post ;) I have Google-Fu too :) And it longer
than you :)
Anyway,
all of these issues solved.
I
uesday, December 30, 2014 3:19 PM
> *To:* Rafael Akchurin; squid-users@lists.squid-cache.org
<mailto:squid-users@lists.squid-cache.org>
> *Subject:* Re: [squid-users] Squid 3 SSL bump: Google drive
application could not connect
>
>
>
>
> May be.
>
>
-users] Squid 3 SSL bump: Google drive application could not
connect
Only exclusion from SSL Bump as far as I know.
raf
From: Yuri Voinov mailto:yvoi...@gmail.com>>
Sent: Tuesday, December 30, 2014 3:19 PM
To: Rafael Akchurin;
squid-users@lists.squid-cac
On Dec 30, 2014 8:57 AM, "Amos Jeffries" wrote:
>
>
> As bumping gets more popular we are hearing about a number of services
> abusing port 443 for non-HTTPS protocols on the false assumption that
> the TLS layer goes all the way to the origin server without
> inspection. That has never been a tr
he.org>>
Subject: Re: [squid-users] Squid 3 SSL bump: Google drive application could not
connect
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Captain Obvious. :)
Say me something I don't know.
The question 2 is - WHAT exactly I must exclude?
Google Support's list could
know.
>
>
> raf
>
> -
> *From:* Yuri Voinov
> *Sent:* Tuesday, December 30, 2014 3:19 PM
> *To:* Rafael Akchurin; squid-users@lists.squid-cache.org
> *Subject:* Re: [squid-users] Squid 3 SSL bump: Google drive
application could not connec
?Only exclusion from SSL Bump as far as I know.
raf
From: Yuri Voinov
Sent: Tuesday, December 30, 2014 3:19 PM
To: Rafael Akchurin; squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Squid 3 SSL bump: Google drive application could not
connect
f of Yuri Voinov
> Sent: Tuesday, December 30, 2014 2:12 PM
> To: squid-users@lists.squid-cache.org
> Subject: [squid-users] Squid 3 SSL bump: Google drive application
could not connect
>
> Hi gents,
>
> I found strange issue.
>
> Squid 3.4.10. Intercept. HTTPS bumping
SSL Pinning? (I know Dropbox does this)
my two cents only :)
Raf
From: squid-users on behalf of Yuri
Voinov
Sent: Tuesday, December 30, 2014 2:12 PM
To: squid-users@lists.squid-cache.org
Subject: [squid-users] Squid 3 SSL bump: Google drive
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 31/12/2014 2:12 a.m., Yuri Voinov wrote:
>
> Hi gents,
>
> I found strange issue.
>
> Squid 3.4.10. Intercept. HTTPS bumping. All works fine. All configs
> correct.
>
> Whenever all web https sites works perfectly - especially in
> Chrome, most
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi gents,
I found strange issue.
Squid 3.4.10. Intercept. HTTPS bumping. All works fine. All configs correct.
Whenever all web https sites works perfectly - especially in Chrome,
most cloud clients works like charm (SpiderOak is!), Google Drive cl
53 matches
Mail list logo