HSTS and HPKP

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

HSTS and HPKP

Gordon Hsiao
I'm running squid4.1 interception peek+splice mode.

Some sites with HSTS(max-age=0) will not work whenever squid is on, HSTS max-age=0 is supposed to turn off HSTS, but chrome/firefox will keep redirecting https<-->http until it failed(too many redirects). Once Squid is removed all is good.

I also searched various lists and squid's website, it's still unclear to me, for intercept proxy, can Squid deal with HSTS reliably these days?

A similar questions is HPKP, or the pinning certificate, can Squid 4.1 handle that?

When no HSTS/HPKP is involved, it seems all sites work well.

Gordon

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: HSTS and HPKP

Amos Jeffries
Administrator
On 27/07/18 16:10, Gordon Hsiao wrote:

> I'm running squid4.1 interception peek+splice mode.
>
> Some sites with HSTS(max-age=0) will not work whenever squid is on, HSTS
> max-age=0 is supposed to turn off HSTS, but chrome/firefox will keep
> redirecting https<-->http until it failed(too many redirects). Once
> Squid is removed all is good.
>
> I also searched various lists and squid's website, it's still unclear to
> me, for intercept proxy, can Squid deal with HSTS reliably these days?
>

Handle yes. Reliably no.

Squid should be erasing the HSTS header completely whenever it can. The
problem is that HSTS can be delivered in several ways that Squid is not
in control of (spliced' traffic, non-HTTP protocols, and non-proxied
connections). You have to reliably seal off those other protocols and
connection types for the MITM proxy to have even a basic chance at success.

FWIW: any HSTS TTL value that gets through to the server breaks things.
Even though max-age=0 can be used to clear some of those other HSTS
avenues, it still breaks things just by turning on the HSTS handling at
the server.


> A similar questions is HPKP, or the pinning certificate, can Squid 4.1
> handle that?

No.

While HSTS was a train wreck from day-0, HPKP is technically closer to
how TLS was supposed to be used in the first place.

AFAIK, the only thing you can do in the presence of client application
using HPKP is splice. Server using it does not matter if the client is
not checking.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users