Thanks for your reply.
The 13-year old child in me says "I want it fixed yesterday"
since false positives are very painful and cannot always
be prevented since the environment where Squid works is
not always that easy to control.
You mentioned earlier that a fix will probably go in squid 5
which is long due and there is no workaround. A second
thought is to have an acl that determines for which domains
the check must be skipped, but this is not optimal since
the admin gains an extra job.
My vote goes to re-prioritizing the fix and put it in Squid 4.
Of course I have no idea about the implications.
Thanks
Marcus
On 09/04/2016 01:12 PM, Amos Jeffries wrote:
On 31/08/2016 5:25 a.m., Marcus Kool wrote:
Do I understand it correctly that Squid in normal proxy mode
allows malware to do a CONNECT to any destination, while in
transparent proxy mode does extra security checks which causes
some regular (non-malware) clients to fail?
Intercepted traffic has different processing applied, different
assumptions made about the traffic, and different security model
relevant to its messages.
The short answer is "yes", but reality is not that simple black/white.
And philosophical questions: is Squid the right tool
to stop malware? If yes, is it acceptable that connections
of regular (non-malware) clients are wrongly dropped?
No more or less than any software.
Squid manages the HTTP that flows through it. If the malware uses HTTP
messages to communicate then it very much part of Squid's job to prevent
that. Other protocols Squid is not responsible for, except to prevent
itself being a vector of attack.
IMO Squid should do all it can to be a secure proxy.
Which is the case for Host forgery atacks. If Squid did not MITM the
network traffic, there would not be a vulnerability to Host forgery
issues. Therefore an intercept/tproxy Squid is very much responsible for
preventing this particular type of attack which it causes to exist.
A forward-proxy or reverse-proxy does not have that vulnerability,
therefore does not need to check the same things.
Doing security checks on connections in an attempt
to stop malware sounds like a job for an antivirus / IDS tool.
Additional to what Squid does. Indeed many of those tools use a proxy
service which performs the same or similar checks to what Squid does,
with far more intrusive behaviour, or are themselves also vulnerable to
becoming vectors of the Host attack(s). The Host attack(s) are
vulnerability built into the concept of MITM'ing HTTP(S) traffic. It is
not something specific to Squid.
Amos
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
