Ilya wrote:
> >> Does squid cache data, when a client requests and
> >> communicates over https? Does squid cache data from
> >> SSL connection?
> >
> >
> > No, the SSL encryption is end-to-end, so Squid has no means of even
> > knowing there is https traffic over that connection. To Squid is is all
> > just "some kind of unknown data being transferred, looking like
> > 'garbage'".
> >
> > All Squid knows is that the browser have requested to make a full duplex
> > TCP tunnel to enable SSL to host X on port Y.
>
>
> Hm, sa I understood, squid is between client and server when they
> establish SSL connection. So can squid, in theory, acts as "man in the
> middle", catch all public keys and replace them on its own and then
> decrypt all data? Ok, I ask it not because I`m going to do so, I only
> want to know wether somebody can do so :) For example, the developers of
> squid( it`s joke:) ).
Not without users knowing. SSL certificates are unique to each site,
and if they are not authorized against a certificate authority, the user
will be warned by their browser. Of course, sometimes the warning is
ignored, but I'd be suspicious if every site I went to had the same
certificate...
One part of the security requirement of SSL is end-to-end trust.
Without that, any proxy could hijack connections and 'listen in'. It
would require a huge endeavour to bypass those tests of end-to-end
security...though someone with enough resources might could manage it
("enough" here being defined as "pratically unlimited").
-- Joe Cooper <joe@swelltech.com> Web caching appliances and support. http://www.swelltech.comReceived on Sat Nov 23 2002 - 01:05:40 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:11:32 MST