On Dec 30, 2014 7:04 PM, "Amos Jeffries" <squ...@treenet.co.nz> wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 31/12/2014 6:30 a.m., shawn wilson wrote: > > On Dec 30, 2014 8:57 AM, "Amos Jeffries" wrote: > >> > > > >> > >> As bumping gets more popular we are hearing about a number of > >> services abusing port 443 for non-HTTPS protocols on the false > >> assumption that the TLS layer goes all the way to the origin > >> server without inspection. That has never been a true assumption, > >> CDN frontends have always decrypted. > >> > > > > OT but you use 443 because people expect it to be encrypted web > > data and don't block it. And DPI doesn't tell you anything more. > > > > "web" is no longer just HTTP and that is part of the problem. People > treating port 443 as if any of the "web" protocols can use it just by > being wrapped in TLS. >
Worse than that - I'm mainly thinking ssh (which won't survive DPI). > Port 443 is specifically registered for "HTTP over TLS" (aka HTTPS). > "Web" includes HTTP, but also includes protocols like RSS, WebSockets, > SPDY, QUIC, COAP, even IRC and Jabber at times. > > The other non-HTTP protocols have other non-443 ports registered or > available for their use. Some like SMTP even switch their main port > between encrypted and non-encrypted as needed. > > I know it can be hard to get unusual ports opened past firewalls, but > that is not being helped by everything using only a handful of ports. > [I have a long rant at this point about lazy corporates, but its 2015 > in a few hrs so I'll drop it for now]. > My point isn't even about "lazy corporates" but this: how many airlines will block ssh over port 22 and how many will block it over 443? (And if that doesn't work OpenVPN on 443 and ssh through that) I assume Google thought along similar lines when they talked about which port to put their binary Drive data on. You want people to stop using 443 for non-https traffic, get people to stop blocking the other ssl ports. This is OT but here's the topical point - if you're going to bump http+ssl traffic, you need to know that due to some people blocking alternative ports for secure services, you'll always see non-http traffic here. The IETF might give you a port but only smart long term business decisions will allow you to keep it - that's far past over for 443/tcp at this point I think :/
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users