On 26/06/2015 8:40 p.m., FredB wrote: > Mike, you can also to try the dev branch > https://github.com/e2guardian/e2guardian/tree/develop > SSLMITM works now. The request from the client is intercepted, a spoofed > certificate supplied for > the target site and an encrypted connection made back to the client. > A separate encrypted connection to the target server is set up. The > resulting > http dencrypted stream is then filtered as normal.
If that order of operations is correct then the e2guardian dev have made the same mistake we made back in Squid-3.2. client-first bumping opens a huge security vulnerability - by hiding issues on the server connection from the client it enables attackers to hijack the server connection invisibly. This is the reason the more difficult to get working server-first and peek-n-splice modes exist and are almost mandatory in Squid today. Amos _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
