On Sun, 28 Aug 2011, Eric Wilhelm wrote:

I didn't think it was a question of CPU speed anytime in the past
decade.  How does a proxy cache encrypted data?

Bringing up proxies is an excellent point.  While most proxies do support
SSL tunnelling, this does make the request uncacheable since the proxy never
knows anything about the connection outside of the host & port it's
tunnelling to.

I run a proxy cluster myself, and I do force caching of search engine
responses for a short window (typically on the order of a few hours), and it
does tend to pay off, especially when notable events occur in the world.
Obviously, SSL bypasses the cache altogether.  And I can only get away with
this because the businesses I support all want the same "safe" levels
applied to all requests, so I don't have to worry about inappropriate
content in some people's results.

Which brings to mind yet another point:  for those of us providing content
filtering services via proxies SSL is a huge problem.  The only good
solution is to do transparent interception of SSL connections with your
proxies serving up a private CA-signed certificate using wild cards, but
that requires installing your private CA's root certificate on all clients,
and even then there's clients that that still won't work on.  Never mind
that the concept of spoofing external organization certificates is insanely dangerous in its own right.

        --Arthur Corliss
          Live Free or Die

Reply via email to