Re: [squid-users] Squid use SSL ALWAYS?

From: Chris Lightfoot <chris@dont-contact.us>
Date: Thu, 29 Jun 2006 00:01:18 +0100

On Wed, Jun 28, 2006 at 11:07:01AM -0700, Aaron Gray wrote:
> I have squid working perfectly as a caching proxy server.
> If I access my squid proxy server from a network that has some kind of
> "sniffing" software, they can see the headers are HTTP headers (even though
> it is on a weird port) and still identify where your going and read all the
> plain text HTML.
>
> Is there any way to make it so that when I connect to the squid proxy and
> authenticate (which I require based on my ACL) that it creates a SSL
> connection (or something similar) to where all traffic is encrypted even if
> the destination page is not a https website? I want to hide the plain text.

as others have suggested, you can use an SSL tunnel for
this application. You could also use SSH's port forwarding
facilities. However, note that this will not prevent an
attacker with access to the network from discovering that
you are using HTTP -- the pattern and timing of requests
sent and replies received is likely to be quite
characteristic of the protocol. This sort of traffic
analysis will not reveal which web pages you are viewing
(unless your client leaks that information in other ways,
for instance by doing DNS queries for them) but it will
reveal that you're using HTTP, or another similar
protocol.

-- 
``My teacher's face when he worked out what I was doing was a picture. A
  picture of howling existential despair. So no change there, then.''
  (Dominic Fox, on abbreviations)
Received on Wed Jun 28 2006 - 17:01:22 MDT

This archive was generated by hypermail pre-2.1.9 : Sat Jul 01 2006 - 12:00:02 MDT