Hi, folks...
I am sure that this 'feature' is well-known and there already a
common-understanding of how to deal with it. Proxy users can use the
squid to tunnel their SSH sessions any destination they like - at least
if the port is allowed for the 'CONNECT' method. On my mind it is
impossible for squid to distinguish SSL-wrapped http sessions from
SSL-wrapped terminal connection as it cannot decrypt the encrypted data
stream.
So much for the theory. Now how do 'normal administrators' handle this
obvious security hole? I think that a handful of hackers at our company
know quite well that we use Squid and will set up an ssh daemon on their
home PC answering connection requests on port 443.
Shall I only allow SSL on request? That would make people use the HTTP
pages instead of the much more secure HTTPS websites for transmitting
sensible data. Shall I block destination IP ranges which probably lead
to home PCs in dialup networks? Or shall I buy an expensive commercial
third-party proxy which is capable of doing a kind of
'man-in-the-middle-SSL-understanding-proxy' to filter out non-HTTP
requests?
I'd like to hear your opinions.
Christoph
-- ~ ~ ".signature" [Modified] 3 lines --100%-- 3,41 All
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:13:57 MST