Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
I was wondering whether Is there any dedicated proxy server for catering HTTPS conections
AS normal SQuid proxy that I use does not seem to take care of HTTPS requests
As in access.log I never see any HTTPS request being logged..
Is it true that It not possible to proxy HTTPS requests..?
If so Then why do we have an option for Secure proxy server in Internet Explorer..?
Any Ideas Help in this regard would be appreciated..
yeah, take Google WebAccelerator though, probably based on squid. There was a major security flaw where users were being logged into onling shops, etc. I dont trust proxies for HTTPS, unless they are secure and dont cache encrypted requests.
Then I'd say you didn't read the disclosure closely enough. The issue was with cached copies of HTTP pages (this forum for example) where the user has to "log in", not HTTPS. Google doesn't cache HTTPS. They can't (without doing some nasty "man in the middle" stuff).
Standard HTTP proxies do not cache HTTPS. I can't say without digging a little more into specs and whatnot than I want to right now, but I'm inclined to say that HTTP proxies not only do not, but can not cache HTTPS transactions, even if they wanted to.
Proxies facilitate HTTPS through the use of CONNECT. The proxy opens a socket to the server and forwards all data to and from the client through it. It has no knowledge of what's *in* the data as it's encrypted.
Thanks for the info, just... My proxy server has a HTTPS transaction cache :-o It's a PC LAN SUITE 2004, from 602software so thats why I thought that. Soon I'll be running squid when I get my smoothwall installed up again.
Originally posted by Gaz25 Thanks for the info, just... My proxy server has a HTTPS transaction cache :-o It's a PC LAN SUITE 2004, from 602software so thats why I thought that. Soon I'll be running squid when I get my smoothwall installed up again.
ummm, are you 100% sure about that?? i looked at the website and didn't see anything about any HTTPS cache being used...
Does squid proxy https requests transparenlty.??
this was the reason for posting the query .sorry I forgot to mention abt that in my earlier post.
As far as I have seen It does not proxy HTTPS requests transparenlty;
If anybody had success in configuring squid in tranparent proxy mode with HTTPS requests..proxied please share what are the configurations....?
or does any other proxy do this ...ie. HTTPs requests in transparent mode..?
HTTPS is there, in advanced settings there is a tick box to disable CGI caching, HTTPS caching. Both are disabled by default, so it's not a security problem. I assume it doesn't actually cache anything other than images in that mode anyway.
Without seeing a screenshot of the advanced tab, we'll have to take your word for it. I'm not going to install it just to find out, but really ... A HTTP proxy *can't* cache HTTPS data. It's just not possible.
Without going into a boring dissertation on the merits of PKE and all that stuff -- when the client browser connects to the server, it verifies (or tries to) the identity of the server based on it's hostname and the CN field in the SSL cert. If they don't match, you get a security warning. If they do match (and the cert is valid for the date you're using it and a whole host of other stuff), then the crypto begins and everything from that point on is wrapped up in really big math... That's why a client will call out to the proxy and say CONNECT Host:Port HTTP/1.1. That tells the proxy "Don't do anything to get in my way here, just give me a connection to Host:Port".
The only way that I can think of for a proxy to cache HTTPS data would involve DNS hijacking and/or key theft, neither of which seem terribly likely in this case.
For extra credit - You can use CONNECT on loosely configured proxies to talk to all kinds of services such as IRC, SSH or just about any other "one port" protocol ... And no, it won't be cached either