Certificate transparency: problem for ssl-bumping, no effect, or?

classic Classic list List threaded Threaded
14 messages Options
Reply | Threaded
Open this post in threaded view
|

Certificate transparency: problem for ssl-bumping, no effect, or?

L A Walsh
Google is pushing this for all websites by October 2017

One issue to be "caught" are subordinated CA certs that can
allow one vector for generating certs accepted by browsers w/o
importing any new certs.

Some of the info on the cert page:

    https://www.certificate-transparency.org/what-is-ct

Seems to indicate that site-local generated and imported
certs may also be detected as invalid and be disallowed for
SSL connection approvals.  That would be a major pain given
google's actions that seem to be hostile to end-user (or
end-site) web-caching.
(saw this on
http://www.theregister.co.uk/2016/10/31/google_certificate_transparency/
).

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Certificate transparency: problem for ssl-bumping, no effect, or?

Yuri Voinov

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
 
When the future comes - then we will worry. What wonder, then?

October 2017 is not tomorrow.


01.11.2016 4:13, L. A. Walsh пишет:

> Google is pushing this for all websites by October 2017
>
> One issue to be "caught" are subordinated CA certs that can
> allow one vector for generating certs accepted by browsers w/o
> importing any new certs.
>
> Some of the info on the cert page:
>
>    https://www.certificate-transparency.org/what-is-ct
>
> Seems to indicate that site-local generated and imported
> certs may also be detected as invalid and be disallowed for
> SSL connection approvals.  That would be a major pain given
> google's actions that seem to be hostile to end-user (or
> end-site) web-caching.
> (saw this on
http://www.theregister.co.uk/2016/10/31/google_certificate_transparency/
> ).
>
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users

- --
Cats - delicious. You just do not know how to cook them.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
 
iQEcBAEBCAAGBQJYF8ieAAoJENNXIZxhPexGVrMIAIXr9n92Ven5E7vmtgtxsRtq
Knf2sv/qz1jyl6P836FjSSd+GJuKe0hNxUsuina/MiBlRcbH2hUTuEAJzdbLxebH
2qvN/RxulejKOQFLFaZvrOSBh3b809m+dBlEtIQ8IeWfWpCF02fddU+X7cT9o+8p
hHZW2mgZLq2mJH8u2iIpPzv1uQx4uJdxg22by9YE2bYo2TOpN4b/6vnDEfF8Ggnt
1S2Z4nvak1d+GfX+b9Temlf7LSOuzeWW8gtgj4WPjNUMOnToRo+RGm0Z0by61x3z
frDreEtHuTXVh5ppVIpQdP9VZDsIbTnYt9JmU6c0CigW11sQCU7Z3rQZPG1xp7o=
=2BL1
-----END PGP SIGNATURE-----


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

0x613DEC46.asc (2K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Certificate transparency: problem for ssl-bumping, no effect, or?

Yuri Voinov

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
 
Google and so is not too conducive to caching the end user. One problem anymore - one less, what's the difference? When we begin to beat - start to cry. In general, the year in IT - eternity. During this time, everything can happen. So relax, cousin. Nothing else happened. ;)

PS. A magic bullets - does not exist. You have forgotten that some governments are willing to carry out globally SSL Bump over its citizens. This is a separate issue for everyone, not just for these citizens. So quietly celebrate Halloween and do not ride the wave :)

01.11.2016 4:41, Yuri Voinov пишет:
>
> When the future comes - then we will worry. What wonder, then?
>
> October 2017 is not tomorrow.
>
>
> 01.11.2016 4:13, L. A. Walsh пишет:
> > Google is pushing this for all websites by October 2017
>
> > One issue to be "caught" are subordinated CA certs that can
> > allow one vector for generating certs accepted by browsers w/o
> > importing any new certs.
>
> > Some of the info on the cert page:
>
> >    https://www.certificate-transparency.org/what-is-ct
>
> > Seems to indicate that site-local generated and imported
> > certs may also be detected as invalid and be disallowed for
> > SSL connection approvals.  That would be a major pain given
> > google's actions that seem to be hostile to end-user (or
> > end-site) web-caching.
> > (saw this on
> http://www.theregister.co.uk/2016/10/31/google_certificate_transparency/
> > ).
>
> > _______________________________________________
> > squid-users mailing list
> > [hidden email]
> > http://lists.squid-cache.org/listinfo/squid-users
>
>


- --
Cats - delicious. You just do not know how to cook them.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
 
iQEcBAEBCAAGBQJYF8ooAAoJENNXIZxhPexG+VAH/15vFPprneESrl94A2iOrHo4
2JoAy0Fqi7mJjuSjSNOhW3O2AutJkrPMDMTg8FEso999wI/HsuRCWqaMLpQU/7dv
hzA3BwegOrELBXb5x5YPXP8FgMkN6Wytcy9nOkU6Hn/s3u3QP8zUqLWFbLGqnMoF
PSJuCbNA3m8IOf7WP2nF3824KLM3AMkByQ2XszS7TnP4LxYIIYh+0mcJ7oSqaLxo
oMCDCknfu0FcISl1MVxQQVIpVqxfNnzBxFrBVK2ZJ5mDgeyB0+dQjULpRO0IDGDL
PRQeUAgyREEejfuJLpoE+ufwT9SkTyxm6WZUZiJgOEnueNdxc5wox0jJpOX+5bY=
=zXZ1
-----END PGP SIGNATURE-----


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

0x613DEC46.asc (2K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Certificate transparency: problem for ssl-bumping, no effect, or?

Alex Rousskov
In reply to this post by L A Walsh
On 10/31/2016 04:13 PM, L. A. Walsh wrote:
> Google is pushing this for all websites by October 2017

Just Extended Validation (EV) sites, to be exact AFAICT. All other sites
will be forced into the new scheme sometime later. Naturally, this may
result in requests to downgrade mimicked server certificates to remove
the EV extension (assuming we mimic it today).


>    https://www.certificate-transparency.org/what-is-ct
>
> Seems to indicate that site-local generated and imported
> certs may also be detected as invalid and be disallowed for
> SSL connection approvals.  That would be a major pain

The question is whether the affected browsers will have knobs to disable
CT checks or perhaps to configure custom Certificate Log addresses. If
everything is hard-coded, then bumping is doomed. Otherwise, expect more
sysadmin pains. You can probably answer that question now by studying
Chrome configuration.

Alex.

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Certificate transparency: problem for ssl-bumping, no effect, or?

Yuri Voinov

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
 


02.11.2016 2:03, Alex Rousskov пишет:

> On 10/31/2016 04:13 PM, L. A. Walsh wrote:
>> Google is pushing this for all websites by October 2017
>
> Just Extended Validation (EV) sites, to be exact AFAICT. All other sites
> will be forced into the new scheme sometime later. Naturally, this may
> result in requests to downgrade mimicked server certificates to remove
> the EV extension (assuming we mimic it today).
>
>
>>    https://www.certificate-transparency.org/what-is-ct
>>
>> Seems to indicate that site-local generated and imported
>> certs may also be detected as invalid and be disallowed for
>> SSL connection approvals.  That would be a major pain
>
> The question is whether the affected browsers will have knobs to disable
> CT checks or perhaps to configure custom Certificate Log addresses. If
> everything is hard-coded, then bumping is doomed. Otherwise, expect more
Alex, you can at this point a little more? Since all Internet smoothly
passes under HTTPS, and if  the SSL bump will be impossible to do -
whether it should be understood that in such a situation you close the
project Squid as unnecessary? :) Seriously, why does it then need to be
in a world without HTTP?

>
> sysadmin pains. You can probably answer that question now by studying
System administrators should always suffer. :) You'd think they now have
a little pain with the installation of the proxy certificates to mobile
devices. :) By the way, these crutches in HTTPS have no sense if they
can be in some way disabled. It is my deep personal conviction. :)
>
> Chrome configuration.
>
> Alex.
>
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users

- --
Cats - delicious. You just do not know how to cook them.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
 
iQEcBAEBCAAGBQJYGP9sAAoJENNXIZxhPexGPtgH/im0L/lHtPDcV3vXp8a+OSYn
dQYtfz/gcEBZR4IcWLq7DWg6feJ62ksZwq+ukqnYS9toOMTHzm20ihztqmyCqVa8
qvLPN+9Y/TO9bapt/ed9dqlO1O/N0gMSH8tsJQ/JSjncIfIORPeKQZ7XUYP7wPfA
pdGYZKAPNfyGidQblfWTFvDeOhcuoHj8YdUQ8cjtD6wj+A7p5zpuCydasY+VFJhk
lFjsxpRYUfu2IbQIaSj2uUgShVVaff7oDG1xIUEpfK0JLTlNBoC4hWl62saTNiqM
7AwGL8OXgP8FeOaY3raDTV9zG7G5BnINTdxoMLFsKoopbPA58GdZVpq3sBeKGAI=
=v2JO
-----END PGP SIGNATURE-----


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

0x613DEC46.asc (2K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Certificate transparency: problem for ssl-bumping, no effect, or?

Alex Rousskov
On 11/01/2016 02:47 PM, Yuri Voinov wrote:

> if the SSL bump will be impossible to do -
> whether it should be understood that in such a situation you close the
> project Squid as unnecessary? :) Seriously, why does it then need to be
> in a world without HTTP?

Believe it or not, there are still many Squid use cases where bumping is
unnecessary. This includes, but is not limited to, HTTPS proxying cases
with peek/splice/terminate rules and environments where Squid possesses
the certificate issued by CAs trusted by clients. There are also IETF
attempts to standardize transmission of encrypted but proxy-cachable
content.

I agree that Squid user base will shrink if nobody can bump 3rd party
traffic, but that reduction alone will not kill Squid.

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Certificate transparency: problem for ssl-bumping, no effect, or?

Yuri Voinov

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
 


02.11.2016 2:58, Alex Rousskov пишет:
> On 11/01/2016 02:47 PM, Yuri Voinov wrote:
>
>> if the SSL bump will be impossible to do -
>> whether it should be understood that in such a situation you close the
>> project Squid as unnecessary? :) Seriously, why does it then need to be
>> in a world without HTTP?
>
> Believe it or not, there are still many Squid use cases where bumping is
"Wow, Plop-Plop, what a terrible story" ;)
>
> unnecessary. This includes, but is not limited to, HTTPS proxying cases
> with peek/splice/terminate rules and environments where Squid possesses
Sure, I know. I meet this every day exactly. This is no problem still
remains relatively low percent.
>
> the certificate issued by CAs trusted by clients. There are also IETF
> attempts to standardize transmission of encrypted but proxy-cachable
> content.
Hope they not completely headless.
>
>
> I agree that Squid user base will shrink if nobody can bump 3rd party
> traffic, but that reduction alone will not kill Squid.
Hope at this. It is difficult to make long-term plans if the software
has to die soon. :)
>
>
> Alex.

- --
Cats - delicious. You just do not know how to cook them.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
 
iQEcBAEBCAAGBQJYGQMgAAoJENNXIZxhPexGocQIAMU0g7zH7B7gMwgatt2PdA27
Jx+Frqnh+V8fYDEtLYwWRwSO5EmtCIG2Zx90LYiljN6mxvKd7hCBseJczf7nTsh4
bLumPaX6VWOLrPBGDRuWvqXfn6xFDX3uBLqyTWQUnNX6GuiuqkGQ2JvXctbNQA1A
NV0VYM5Dg/p/JZDKqQdB41ip7IEm+mWp7xcd7S377or0vNkiVS4oZWj0goYZGER5
yuWg9K2TA5HbLhjBou+G6VXPCLx5LDTCAl9gxTLm/qc/v/6cO1Wi6LxhAI7YOBuR
c/r5Rqj+bsbWqxD3ma9Pdg2m+WR8Z15mSTRm+jFYlsjae9b8ApggDXaabLWuL4I=
=kuNU
-----END PGP SIGNATURE-----


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

0x613DEC46.asc (2K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Certificate transparency: problem for ssl-bumping, no effect, or?

L A Walsh
Yuri Voinov wrote:
> Hope at this. It is difficult to make long-term plans if the software
> has to die soon. :)
>  
---

..And if SW doesn't die "soon", but only a little later?  I.e. with
google's AI designing new encryption algorithms today (nothing
said about quality), how long before they can have an AI replacing
most of us?  Even now PC's seem to be "short-timers" as mass-users
are migrated to hand-held, consume-only platforms, and PC's evolve
into tomorrows unaffordable mini-compute-cloud servers.

PC's have always been too dangerous to allow in everyone's home
unless they are locked down and become "content platforms"
to play content similar to how game consoles are now.
It seems it will be hard just to afford an X84-64 compat
CPU with those getting more & more cores (and more expensive) and
consumers being shunted over to the more affordable and
the comparatively, celeron-classed, Atom CPUs.

A year goes by quickly enough these days, to at least get an
advanced "head-up" on such new "standards"...




_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Certificate transparency: problem for ssl-bumping, no effect, or?

MK2018
In reply to this post by Alex Rousskov
Hello :)



Alex Rousskov wrote

> Believe it or not, there are still many Squid use cases where bumping is
> unnecessary. This includes, but is not limited to, HTTPS proxying cases
> with peek/splice/terminate rules and environments where Squid possesses
> the certificate issued by CAs trusted by clients. There are also IETF
> attempts to standardize transmission of encrypted but proxy-cachable
> content.
>
> I agree that Squid user base will shrink if nobody can bump 3rd party
> traffic, but that reduction alone will not kill Squid.
>
> Alex.

I would definitely disagree. Rich countries citizens always forget the fact
that high quality corporate leased lines and dedicated bandwidth *do* cost
so much that letting users *hide* their unwanted traffic behind the *4th
amendment* HTTPS is unaffordable.


Naturally, HTTPS standards were designed to hide traffic. I don't mind users
hiding traffic content, let users burn in hell with it, let them rejoice
with Dante!

What I do mind is hiding full URLs and/or MIME types. Give me any low cost
solution that would reliably expose those and hide anything else you want.
Otherwise, it is useless to start a business first place!

I mean, even with appliances like those from Sophos or others that claim to
have full control over traffic, it still remains an ugly guess work combined
with an admin nightmare who then must block each and every category of
unwanted traffic!

Unless the protocol design changes to expose full URLs and/or MIME types,
nothing will replace Squid Bumping.

That being said, we are headed to the vortex by 2018.05.01. Let's drown
together, while we yell and curse at Google!

MK



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Certificate transparency: problem for ssl-bumping, no effect, or?

Alex Crow-2

> Unless the protocol design changes to expose full URLs and/or MIME types,
> nothing will replace Squid Bumping.
>
> That being said, we are headed to the vortex by 2018.05.01. Let's drown
> together, while we yell and curse at Google!
>
> MK
>
>
>

Erm, can someone elucidate the issue here? Can't see anything about this
in the last year of mails from this list ;-)

Alex


--
This message is intended only for the addressee and may contain
confidential information. Unless you are that person, you may not
disclose its contents or use it in any way and are requested to delete
the message along with any attachments and notify us immediately.
This email is not intended to, nor should it be taken to, constitute advice.
The information provided is correct to our knowledge & belief and must not
be used as a substitute for obtaining tax, regulatory, investment, legal or
any other appropriate advice.

"Transact" is operated by Integrated Financial Arrangements Ltd.
29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608 5300.
(Registered office: as above; Registered in England and Wales under
number: 3727592). Authorised and regulated by the Financial Conduct
Authority (entered on the Financial Services Register; no. 190856).
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Certificate transparency: problem for ssl-bumping, no effect, or?

MK2018
This post was updated on .
Alex Crow-2 wrote
>> Unless the protocol design changes to expose full URLs and/or MIME types,
>> nothing will replace Squid Bumping.
>>
>> That being said, we are headed to the vortex by 2018.05.01. Let's drown
>> together, while we yell and curse at Google!
>>
>> MK
>>
>>
>>
>
> Erm, can someone elucidate the issue here? Can't see anything about this
> in the last year of mails from this list ;-)
>
> Alex
>
> -


:D :D Sure thing, here it is:
https://aws.amazon.com/blogs/security/how-to-get-ready-for-certificate-transparency/

I had to know from AWS, otherwise I would have been terrorized on May 1st
all the sudden, just like how Google does it each time.

Chrome is most probably going to spit fire at all non-CT-Logged CA
certificate. Naturally, 99% of Squid-Bumping feature users use self-signed certs
(or otherwise own all real CAs in the world and still violate CA rules), so
they will end up getting into war with all Chrome users (which is basically like 80% of users).

Hope that clears it up!



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Certificate transparency: problem for ssl-bumping, no effect, or?

MK2018
MK2018 wrote

> Alex Crow-2 wrote
>>> Unless the protocol design changes to expose full URLs and/or MIME
>>> types,
>>> nothing will replace Squid Bumping.
>>>
>>> That being said, we are headed to the vortex by 2018.05.01. Let's drown
>>> together, while we yell and curse at Google!
>>>
>>> MK
>>>
>>>
>>>
>>
>> Erm, can someone elucidate the issue here? Can't see anything about this
>> in the last year of mails from this list ;-)
>>
>> Alex
>>
>> -
>
>
> :D :D Sure thing, here it is:
> https://aws.amazon.com/blogs/security/how-to-get-ready-for-certificate-transparency/
>
> I had to know from AWS, otherwise I would have been terrorized on May 1st
> all the sudden, just like how Google does it each time.
>
> Chrome is most probably going to spit fire at all non-CT-Logged CA
> certificate. Naturally, 99% of Squid-Bumping feature users use self-signed
> certs
> (or otherwise own all real CAs in the world and still violate CA rules),
> so
> they will end up getting into war with all Chrome users (which is
> basically like 80% of users).
>
> Hope that clears it up!

I might have overlooked this: "Certificates issued from locally-trusted or
enterprise CAs that are added by users or administrators are not subject to
this requirement."

https://groups.google.com/a/chromium.org/forum/#!topic/ct-policy/wHILiYf31DE

Think there is still hope?



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Certificate transparency: problem for ssl-bumping, no effect, or?

Alex Rousskov
In reply to this post by MK2018
On 04/13/2018 02:41 PM, MK2018 wrote:

> Alex Rousskov wrote
>> Believe it or not, there are still many Squid use cases where bumping is
>> unnecessary. This includes, but is not limited to, HTTPS proxying cases
>> with peek/splice/terminate rules and environments where Squid possesses
>> the certificate issued by CAs trusted by clients. There are also IETF
>> attempts to standardize transmission of encrypted but proxy-cachable
>> content.
>>
>> I agree that Squid user base will shrink if nobody can bump 3rd party
>> traffic, but that reduction alone will not kill Squid.

> I would definitely disagree.

With what? Nothing you said afterwards contradicts what I said above.

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Certificate transparency: problem for ssl-bumping, no effect, or?

Amos Jeffries
Administrator
In reply to this post by Alex Crow-2
On 14/04/18 10:03, Alex Crow wrote:

>
>> Unless the protocol design changes to expose full URLs and/or MIME types,
>> nothing will replace Squid Bumping.
>>
>> That being said, we are headed to the vortex by 2018.05.01. Let's drown
>> together, while we yell and curse at Google!
>>
>> MK
>>
>>
>>
>
> Erm, can someone elucidate the issue here? Can't see anything about this
> in the last year of mails from this list ;-)
>

MK1018 is re-opening an old discussion from 2016.

The discussion started when TLS/1.3 and AES encrypted payloads were
still draft-only documents in IETF working groups.  So of course the
environment and what can or cannot be done is quite different now.


This just goes to show how much TLS and HTTPS environments are changing
and why our advice to always use the lastest release of Squid when
SSL-Bumping are so important. Anything even a year old discussing the
topic is outdated and possibly irrelevant.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users