Forward-Caching SSL Question

["Adam W. Dace" <co...@gmail.com>]

For a long time I've been running either a local ATS proxy, or a
child/parent combination for my web browsing and it has me wondering.

I'm pretty sure the connection between browser and ATS when using SSL is
unencrypted.
But does that matter?  If I have my facts right the encryption going on for
SSL is simply between the browser itself and the remote origin website,
with ATS acting as a pass-through.

To put my question simply...if I switched from a local ATS forward proxy to
one located on the public Internet would I be putting myself at risk when
using SSL?  I'd hate to think my SSL traffic would be vulnerable to any
sort of snooping.

Thanks In Advance.

Regards,

Adam

-- 
____________________________________________________________
Adam W. Dace <co...@gmail.com>

Phone: (815) 355-7285
Instant Messenger: AIM & Yahoo! IM - colonelforbin74 | ICQ - #39374451
Microsoft Messenger - colonelforbin74@live.com <ad...@turing.com>

Google Profile: https://plus.google.com/u/0/109309036874332290399/about

Re: Forward-Caching SSL Question

[Bill Zeng <bi...@gmail.com>]

If I understand correctly, SSL traffic would still be encrypted even
through an ATS forward proxy located on the public internet. It would not
make sense for the ATS to decrypt the SSL traffic and forward plain
traffic, although I suppose you can configure it that way.


On Mon, Aug 25, 2014 at 6:13 PM, Adam W. Dace <co...@gmail.com>
wrote:

> For a long time I've been running either a local ATS proxy, or a
> child/parent combination for my web browsing and it has me wondering.
>
> I'm pretty sure the connection between browser and ATS when using SSL is
> unencrypted.
> But does that matter?  If I have my facts right the encryption going on
> for SSL is simply between the browser itself and the remote origin website,
> with ATS acting as a pass-through.
>
> To put my question simply...if I switched from a local ATS forward proxy
> to one located on the public Internet would I be putting myself at risk
> when using SSL?  I'd hate to think my SSL traffic would be vulnerable to
> any sort of snooping.
>
> Thanks In Advance.
>
> Regards,
>
> Adam
>
> --
> ____________________________________________________________
> Adam W. Dace <co...@gmail.com>
>
> Phone: (815) 355-7285
> Instant Messenger: AIM & Yahoo! IM - colonelforbin74 | ICQ - #39374451
> Microsoft Messenger - colonelforbin74@live.com <ad...@turing.com>
>
> Google Profile: https://plus.google.com/u/0/109309036874332290399/about
>

Re: Forward-Caching SSL Question

["Adam W. Dace" <co...@gmail.com>]

Thank you both for the information, I feel a ton better about giving things
a try now.

Regards,

Adam


On Mon, Aug 25, 2014 at 10:25 PM, Alan M. Carroll <
amc@network-geographics.com> wrote:

> Monday, August 25, 2014, 8:13:51 PM, you wrote:
>
> > I'm pretty sure the connection between browser and ATS when using SSL is
> unencrypted.
>
> If you use https:, then it should be encrypted. If you are in transparent
> mode, you likely don't have port 443 (SSL port) intercepted so it goes
> right by ATS without ATS noticing. If you're using an explicit proxy, the
> browser will connect to ATS and use the CONNECT method to set up a tunnel,
> in which case ATS will simply forward bytes.
>
> ATS can be set up to terminate SSL, but in that case you would need the
> private key for the certificate used for the origin server. In general,
> that's not possible. In this case you can have the inbound to ATS traffic
> encrypted and the outbound from ATS traffic encrypted or unencrypted. If
> you haven't set up certificates for ATS, it's not terminating SSL and it is
> not decrypting anything.
>
> You can do unencrypted to ATS and encrypted outbound, but that requires
> using remap to convert HTTP to HTTPS connections and in that case you would
> be using http: in the browser, not https:.
>
>


-- 
____________________________________________________________
Adam W. Dace <co...@gmail.com>

Phone: (815) 355-7285
Instant Messenger: AIM & Yahoo! IM - colonelforbin74 | ICQ - #39374451
Microsoft Messenger - colonelforbin74@live.com <ad...@turing.com>

Google Profile: https://plus.google.com/u/0/109309036874332290399/about