In November I wrote: > It has been a very long time since the last release of a new version > of WWWOFFLE, but finally here is version 2.9-beta.
... > There are some other features that I wanted to add in, but for various > reasons this release came before they were available. It is possible > that there will be another beta version released with new features > before the final version 2.9 release. At long last I have completed (beta versions) the extra features that I have been working on for WWWOFFLE. This is a feature that has been requested in WWWOFFLE on this mailing list, but not one that had a lot of discussion. Even before the subject had been raised here it was something that I wanted to add. It is not a feature that many web proxies have, but WWWOFFLE is not the first one to do it. This new feature is caching of https connections. When this is possible it means that WWWOFFLE will see the un-encrypted version of the headers and page content. This means that all of the other WWWOFFLE features are available like censoring headers, modifying HTML, blocking content, URL specific age limits etc. There is obviously a downside to this, if not used correctly it could lead to a reduction in security. This could be accidental, for example caching web pages that contain cookies to log onto your online bank. It could also be deliberate deception by interfering with the https connections of other users without telling them. Neither of these are specific to WWWOFFLE, cookies may leak from your browser if they are saved to disk and other proxies allow interception like WWWOFFLE does. If you want to use this feature you will need to take positive actions. This means compiling WWWOFFLE with the gnutls library and enabling caching of https instead of tunneling which is the default. This option can be selected on a host by host basis so that some hosts are cached and some are tunneled like in older WWWOFFLE versions. You will need to have version 1.2.8 or later of libgnutls installed when compiling. If you do not want to use this feature then you can just compile WWWOFFLE as normal and there will be little different from version 2.9-beta. If you want to know more then there is a new file in the 'doc' directory of the source code called 'README.https' that explains https security, the trust model and how WWWOFFLE can subvert it. As always I am interested in your feedback on new WWWOFFLE versions, and in particular this new feature. If it works for you or not or if you want to discuss the security aspects then use this mailing list. The source code can be downloaded from the web: http://www.gedanken.freeserve.co.uk/download-wwwoffle/wwwoffle-2.9-beta-ssl.tgz The full set of changes since version 2.8e are below. -------------------- NEWS -------------------- Version 2.9-beta-ssl - - - - - - - - - - Bug Fixes: Fix configure script AC_INIT and tests for sys/mount.h. Block more Javascript when modifying HTML. Don't change the URL hash for a POST request when fetching it. Don't handle parameter separately from path in URL. Don't split up large writes when no timeout is set. Internal Code Changes: More changes for integer variables on systems where sizeof(long)!=sizeof(int). Change the configure_io_*() functions for each type of IO not each direction. New Features: Added ability to make secure browser connection to WWWOFFLE using HTTPS. Added ability to cache SSL connection data (https) (config file options). Added a page to show information about the SSL certificates stored by WWWOFFLE. Documentation: Add new documentation about HTTPS SSL/TLS security, trust and WWWOFFLE. *NOTE* If you want to enable HTTPS/SSL functions in WWWOFFLE you must enable it when running configure prior to compiling. It is not enabled by default. *NOTE* If you have compiled WWWOFFLE with gnutls there will be a delay the first time that wwwoffled is started and the first time each https server is accessed due to the creation of secure encryption keys. Version 2.9-beta - - - - - - - - Bug Fixes: When modifying HTML check cache status of link aliases. Fix an error message when executing a change mode script. Fix URL encoding in index pages. Remove warnings compiling with CYGWIN. Make the ssl-allow-port config file option work for port 80. If confirm-requests is enabled don't allow POST/PUT. Warn if timestamp of monitored file cannot be changed. Remove fake URL arguments from aliased URL for POST/PUT. Print internal page headers in ExtraDebug mode. 'wwwoffle -fetch' works in autodial mode. Avoid config editing pages being cached by browser. Be more consistent with removing '#' from URLs in all cases. Handle URLs with URL-encoded hostnames. Handle purge with age=-1 and min-free or max-size set. Break socket writes into small pieces for huge data blocks. Purge from lasttime and prevtime if URL purged from main cache. Internal Code Changes: Lots of internal modifications to remove years of accumulated ugliness. Source code changes to increase speed and reduce memory size. Use 'const' for fixed data arrays and function parameters where possible. Be careful with integer variables on systems where sizeof(long)!=sizeof(int). Reduce code size if compiling without zlib option. New Features: Add a new layer of buffering to avoid large number of small network writes. Add checkboxes to protocol indexes (e.g. /index/http) for deleting multiple. Add reset button (and more if javascript) to clear delete checkboxes. Add the ability to use the Hyper Estraier programs to search the cache. Improve the purge output, print more information about what is happening. Programs: Move the convert-cache and uncompress-cache functions into wwwoffle-tools. Documentation: Remove the file called CONVERT and all references to ancient WWWOFFLE versions. Add new documentation about Hyper Estraier and update other search documents. Tidy the README.1st file. *NOTE* The configure script will enable IPv6 by default if possible. If you explicitly want it disabled you must do this yourself. *NOTE* The URLs for deleting cached web pages has changed. For example '/control/delete-url/?xxx' is now '/control/delete/url?xxx'. *NOTE* The HTML message files no longer have 'localhost' defined, but 'localurl' is used instead (http://$localhost/ -> $localurl/). -------------------- NEWS -------------------- -- Andrew. ---------------------------------------------------------------------- Andrew M. Bishop [EMAIL PROTECTED] http://www.gedanken.demon.co.uk/ WWWOFFLE users page: http://www.gedanken.demon.co.uk/wwwoffle/version-2.9/user.html
