'Re: [squid-users] SOLVED - SECURITY ALERT: Host header forgery detected'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       squid-users
Subject:    Re: [squid-users] SOLVED - SECURITY ALERT: Host header forgery detected
From:       "Eliezer Croitoru" <eliezer () ngtech ! co ! il>
Date:       2018-05-16 22:05:45
Message-ID: 0c2d01d3ed62$0a6f98a0$1f4ec9e0$ () ngtech ! co ! il
[Download RAW message or body]

Amos,

And this issue is kind of big\mega corp services or CDN services.
Now I am really not sure I understand what this security host forgery is about.
There are couple cases:
- Simple forward proxy with ssl-bump which no header forgery should ever happen when \
                the client requests for a specific domain and no IP
- Intercept proxy  with ssl-bump enabled that has no SNI host
- Intercept proxy with ssl-bump enabled that has SNI and squid passes the clients SNI \
host

Which one of the above is this specific case?
And if there are other cases it's good to list them and I will try to wiki these \
details.

Thanks,
Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer@ngtech.co.il



-----Original Message-----
From: squid-users <squid-users-bounces@lists.squid-cache.org> On Behalf Of Amos \
                Jeffries
Sent: Tuesday, May 15, 2018 21:28
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] SOLVED - SECURITY ALERT: Host header forgery detected

On 16/05/18 02:02, Eliezer Croitoru wrote:
> Hey Martin,
> 
> Technically there should be a way to inform Squid-Cache about multiple addresses \
> for the same destination. If Squid doesn't know that it's a real IP of the domains \
> a partial solution is to use the same DNS service but it can also be something \
> else. For example there should be a way\option for squid to decide if this address \
> of the client or server is secured. 
> Amos what do you think?
> Can a Host header forgery detection override acl be added? Should it be added?
> I believe that  if there are some properties to the remote certificate we can flag \
> the service as "Secure" IE if the OS runs a "openssl s_client -host www.ubuntnu.com \
> -connect 91.189.89.118:443 And the certificate is fine then... it's there is no \
> place for any SECURITY ALERT.

A malicious actor would simply forward the TLS handshake to the real
server they are spoofing. Same way Squid does for SSL-Bump.

The counter argument of not sending SNI to that suspicious server will
have failures with these exact same mega-corp services. Think
foo.example.com hosted on Google hosting where the generic server cert
is "foo.1e1.net" not "foo.example.com", nor even google.com".


The "problem" that needs to be resolved is simply that the genuine
servers do not have a reliable match between their IP and client
presented domain name(s).

Amos
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic