Re: [squid-users] Re: Squid log details - HTTPS tunnel detection

From: Henrik Nordstrom <henrik@dont-contact.us>
Date: Mon, 28 May 2007 22:26:17 +0200

tis 2007-05-29 klockan 00:18 +0800 skrev Adrian Chadd:

> Are there any fingerprint bits in the SSL exchange which would tell
> you its at least SSL encrypted traffic, versus just traffic not tunneled
> inside SSL? Thats probably a good starting point.

The initial hello message exchange isn't too hard to identify. But there
is a couple different ones (SSLv2, SSLv3, TLS), and who knows what the
future revisions will look like..

One very trivial thing which doesn't require any payload inspection byt
yet would block at least SSH, SMTP, POP and IMAP is to require the
client to send the first packet. The SSH protocols all start with the
client sending a hello message, while in most Internet application
protocols it's the server which sends the hello message..

Regards
Henrik

Received on Mon May 28 2007 - 14:26:24 MDT

This archive was generated by hypermail pre-2.1.9 : Fri Jun 01 2007 - 12:00:05 MDT