Squid Caching Proxy Security Audit: 55 Vulnerabilities, 35 0days

Just for information

1 Like

Unfortunately squid is a old piece of software written for older times with specific goals. The rise of SSL/TLS it’s making that almost unsable (unless peek&splice approach).

All the ones with CVE numbers had fixes applied to squid-4.15 or 5.06

Around the same time as the CVE’s were raised IPFire updated to 4.15
Currently IPFire is on 6.2

Some entries can be found in the squid bugzilla and are resolved (basically the CVE entries) or marked as Unconfirmed still.

Others I could not find in the squid bugzilla at all. Searched by reporter name.

I think we will need to see what the squid developers say about this.

1 Like

two years of silence is a bit worrying though, at least assuming what is written in that message is accurate.

why is that? I assume I do not understand the issue well enough, but I could not help avoid forming the opinion that a proxy probably should not terminate a tunnel but just pass the “literal” bits between the two parties. This is based on the assumption that no third party, without exceptions, has any legittimate reason to read the encrypted communication I establish with my counterpart. This is also an argument not just for privacy, but to legally protect a business enterprise offering a cache service for its clients.

This is off topic, but I will add this consideration, premature tunnel termination is the attack vector the authoritarian governments are using to legislate against end-to-end encryption. Our phones will be scanning our images, emails, chat etc. before encryption or after they get decrypted. These people would love to have proxy providers do the same, nullifying the entire TLS/SSL technology. We must resist this push.

That is what I am not sure about.

Looking through the users and dev mailing lists on squid I found that users name three timers and none of those conversations were related to the issues in the report.

All the CVE’s were dealt with, so the question is if the squid developers believed those other items were something that needed to be fixed or not but I can’t find much on those and as I said also no reports in the squid bugzilla, although that could also be my poor search skills in it.

That is exactly what it does for IPFire, but therefore there is nothing to cache for the proxy. All squid could do is store the encrypted traffic content in its cache but it wouldn’t know which new traffic requests were covering the same information as the new traffic would also be encrypted.

probably the conversation was not public.

I didn’t connect the dots. Now I better understand the issue. Thank you.

This is exactly why HTTPS is fundamentally broken.
when every ISP and Government can sit there.

We could have a conversation about TLS (which transforms HTTP to HTTPS) is or is not fundamentally broken, but this is not the topic.
Also, is there an interesting conversation about why an ISP and a Goverment should (or should not) sit on some things. But IMVHO this is not the community for.

1 Like

I would like to have that conversation. Maybe a dedicated thread?

Anyway, keeping IT the topic.
Am I wrong or the post has be completely ignored?

More links related.

consider that the second link reports also “availability” for rent skills and time about the dude.