LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 05-29-2005, 11:33 PM   #1
anybody1234
LQ Newbie
 
Registered: Apr 2005
Location: Mumbai India
Distribution: Suse Linux 9.2
Posts: 27

Rep: Reputation: 15
Dedicated HTTPS proxy?


Hello,

I was wondering whether Is there any dedicated proxy server for catering HTTPS conections
AS normal SQuid proxy that I use does not seem to take care of HTTPS requests
As in access.log I never see any HTTPS request being logged..

Is it true that It not possible to proxy HTTPS requests..?

If so Then why do we have an option for Secure proxy server in Internet Explorer..?

Any Ideas Help in this regard would be appreciated..
thanks...
 
Old 05-29-2005, 11:53 PM   #2
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
yes, squid works with HTTPS... you'll need to have given it the "--enable-ssl" configure option before you compiled it, though...

http://www.squid-cache.org/Doc/FAQ/FAQ-1.html#ss1.12

just my ...


Last edited by win32sux; 05-29-2005 at 11:55 PM.
 
Old 05-30-2005, 07:21 PM   #3
Gaz25
Member
 
Registered: Aug 2004
Distribution: Debian, FreeBSD, Fedora, Ubuntu
Posts: 46

Rep: Reputation: 15
As said, squid will work with HTTPS, however, thats quite insecure really - do note that it 'could' be possible for other network users to gain access to HTTPS data.
 
Old 05-30-2005, 09:11 PM   #4
sigsegv
Senior Member
 
Registered: Nov 2004
Location: Third rock from the Sun
Distribution: NetBSD-2, FreeBSD-5.4, OpenBSD-3.[67], RHEL[34], OSX 10.4.1
Posts: 1,197

Rep: Reputation: 46
Ummm ... Not without the keys that are on the remote server. I fail to see how squid will help with that ... SSL is secure through proxies. Squid is no different.

Anybody1234:

You won't see SSL wrapped requests. You'll see CONNECT requests, but the actual transmission (including the URI requested) is encrypted. That's kinda the point
 
Old 05-30-2005, 09:17 PM   #5
Gaz25
Member
 
Registered: Aug 2004
Distribution: Debian, FreeBSD, Fedora, Ubuntu
Posts: 46

Rep: Reputation: 15
yeah, take Google WebAccelerator though, probably based on squid. There was a major security flaw where users were being logged into onling shops, etc. I dont trust proxies for HTTPS, unless they are secure and dont cache encrypted requests.
 
Old 05-30-2005, 09:47 PM   #6
sigsegv
Senior Member
 
Registered: Nov 2004
Location: Third rock from the Sun
Distribution: NetBSD-2, FreeBSD-5.4, OpenBSD-3.[67], RHEL[34], OSX 10.4.1
Posts: 1,197

Rep: Reputation: 46
Then I'd say you didn't read the disclosure closely enough. The issue was with cached copies of HTTP pages (this forum for example) where the user has to "log in", not HTTPS. Google doesn't cache HTTPS. They can't (without doing some nasty "man in the middle" stuff).

Standard HTTP proxies do not cache HTTPS. I can't say without digging a little more into specs and whatnot than I want to right now, but I'm inclined to say that HTTP proxies not only do not, but can not cache HTTPS transactions, even if they wanted to.

Proxies facilitate HTTPS through the use of CONNECT. The proxy opens a socket to the server and forwards all data to and from the client through it. It has no knowledge of what's *in* the data as it's encrypted.

As I said earlier, "That's kinda the point"
 
Old 05-30-2005, 10:11 PM   #7
Gaz25
Member
 
Registered: Aug 2004
Distribution: Debian, FreeBSD, Fedora, Ubuntu
Posts: 46

Rep: Reputation: 15
Thanks for the info, just... My proxy server has a HTTPS transaction cache :-o It's a PC LAN SUITE 2004, from 602software so thats why I thought that. Soon I'll be running squid when I get my smoothwall installed up again.
 
Old 05-30-2005, 10:20 PM   #8
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally posted by Gaz25
Thanks for the info, just... My proxy server has a HTTPS transaction cache :-o It's a PC LAN SUITE 2004, from 602software so thats why I thought that. Soon I'll be running squid when I get my smoothwall installed up again.
ummm, are you 100% sure about that?? i looked at the website and didn't see anything about any HTTPS cache being used...
 
Old 05-30-2005, 10:37 PM   #9
sigsegv
Senior Member
 
Registered: Nov 2004
Location: Third rock from the Sun
Distribution: NetBSD-2, FreeBSD-5.4, OpenBSD-3.[67], RHEL[34], OSX 10.4.1
Posts: 1,197

Rep: Reputation: 46
I'm 100% sure that it doesn't.
 
Old 05-30-2005, 11:32 PM   #10
anybody1234
LQ Newbie
 
Registered: Apr 2005
Location: Mumbai India
Distribution: Suse Linux 9.2
Posts: 27

Original Poster
Rep: Reputation: 15
Hi there,

Thanks everybody for replies....

Does squid proxy https requests transparenlty.??
this was the reason for posting the query .sorry I forgot to mention abt that in my earlier post.
As far as I have seen It does not proxy HTTPS requests transparenlty;
If anybody had success in configuring squid in tranparent proxy mode with HTTPS requests..proxied please share what are the configurations....?

or does any other proxy do this ...ie. HTTPs requests in transparent mode..?
 
Old 05-30-2005, 11:41 PM   #11
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
AFAIK, squid can NOT proxy HTTPS in transparent mode...
 
Old 05-30-2005, 11:49 PM   #12
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
BTW, just curious: why do you want to proxy HTTPS transparently considering the cache won't be used anyways??
 
Old 05-31-2005, 08:58 AM   #13
Gaz25
Member
 
Registered: Aug 2004
Distribution: Debian, FreeBSD, Fedora, Ubuntu
Posts: 46

Rep: Reputation: 15
Screenshot

HTTPS is there, in advanced settings there is a tick box to disable CGI caching, HTTPS caching. Both are disabled by default, so it's not a security problem. I assume it doesn't actually cache anything other than images in that mode anyway.
 
Old 05-31-2005, 10:55 AM   #14
sigsegv
Senior Member
 
Registered: Nov 2004
Location: Third rock from the Sun
Distribution: NetBSD-2, FreeBSD-5.4, OpenBSD-3.[67], RHEL[34], OSX 10.4.1
Posts: 1,197

Rep: Reputation: 46
Without seeing a screenshot of the advanced tab, we'll have to take your word for it. I'm not going to install it just to find out, but really ... A HTTP proxy *can't* cache HTTPS data. It's just not possible.

Without going into a boring dissertation on the merits of PKE and all that stuff -- when the client browser connects to the server, it verifies (or tries to) the identity of the server based on it's hostname and the CN field in the SSL cert. If they don't match, you get a security warning. If they do match (and the cert is valid for the date you're using it and a whole host of other stuff), then the crypto begins and everything from that point on is wrapped up in really big math... That's why a client will call out to the proxy and say CONNECT Host:Port HTTP/1.1. That tells the proxy "Don't do anything to get in my way here, just give me a connection to Host:Port".

The only way that I can think of for a proxy to cache HTTPS data would involve DNS hijacking and/or key theft, neither of which seem terribly likely in this case.


For extra credit - You can use CONNECT on loosely configured proxies to talk to all kinds of services such as IRC, SSH or just about any other "one port" protocol ... And no, it won't be cached either

Last edited by sigsegv; 05-31-2005 at 10:57 AM.
 
Old 05-31-2005, 05:55 PM   #15
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
I assume it doesn't actually cache anything other than images in that mode anyway.
how would it know what is an image?? "that's kinda the point of encryption..."


Last edited by win32sux; 05-31-2005 at 06:12 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Apache Https & Proxy wwnexc Linux - Software 0 11-04-2005 04:01 PM
SuSE 9.1 has no HTTPS through our Proxy slacker9876 Linux - Networking 2 05-13-2004 08:13 PM
slow squid proxy connection with https sides Sammy2ooo Linux - Newbie 0 10-09-2003 02:43 PM
https proxy (???) aaronluke Linux - Networking 3 09-12-2002 09:35 AM
Squid proxy and https roba Linux - Software 2 08-14-2002 04:15 AM


All times are GMT -5. The time now is 04:46 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration