On 10/26/21 5:46 PM, k...@sudo-i.net wrote: > - Squid enforces the Client to use SNI > - Squid lookup IP for SNI (DNS resolution). > - Squid forces the client to go to the resolved IP
AFAICT, the above strategy is in conflict with the "SECURITY NOTE" paragraph in host_verify_strict documentation: If Squid strays from the intended IP using client-supplied destination info, then malicious applets will escape browser IP-based protections. Also, SNI obfuscation or encryption may make this strategy ineffective or short-lived. AFAICT, in the majority of deployments, the mismatch between the intended IP address and the SNI/Host header can be correctly handled automatically and without creating serious problems for the user. Squid already does the right thing in some cases. Somebody should carefully expand that coverage to intercepted traffic. Frankly, I am somewhat surprised nobody has done that yet given the number of complaints! HTH, Alex. _______________________________________________ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev