Tag Archives: squid

Faster is not always the answer!!

I am happy to publish the article for:
Squid-Cache 3.5.20 and 4.0.12 beta release.

The details about the the RPMs repository are at squid-wiki.
RPMs Available for CentOS, Oracle Linux, OpenSUSE Leap

Faster is not always the answer!!

When clients are not complaining?
What I mean is, did you ever seen a client complains about the speed of the Internet connection? No I do not mean that he or she complains it’s too slow but that it’s too fast?

I had the pleasure to meet couple clients which complained that the Computer is moving slow since their Internet connection speed was upgraded. No it wasn’t a joke and it is reality.

The scenario needs some background and context to sound a bit more realistic:
The client is in the age of about 80 and the PC is 2-3 year old. When the Internet connection was slow, the OS updates and AV P2P connections was slow. Every day the computer got shutdown around a specific hour and if was required some updates was applied. Now the issue is that since the Internet speed got faster, every couple hours an update from the AV was applied and almost every couple days an OS update was back on the table. The main issue was speed but with a twist “when I am disconnecting the router it’s working faster” he states.
Actually it took me quite a while to understand that a simple Desktop with about 4GB RAM should be enough to use: Skype, Word, Email and couple console based tiny pieces of software.

So why? why did the PC got slower?
I really do not know! It could be lots of IOPS that was dumped on a 5400 RPMs HDD or that the AV scanned the 2GB of updates repeatedly. I cannot answer what I never understood and from what I understood, faster is not always the good answer. However I can try to imaging that to verify that every signature of a file is still the same as it should be, might not be so easy for every PC.

These days I am counting the 10th month which my local testing Squid runs in a “full” http responses digest mode. Every single response was digested using the SHA256 hashing function and it feels like it’s not there at all. It’s not affecting my tiny 15Mbps line rate downloads  or my tiny servers farm.
Ho well it’s not the full and the whole truth!!

The full truth is that the users agreed to use the service in any form since they care more about their mind and soul rather then their comfort. They decided that they need some filtering system when they insert some data into their mind through their eyes. It’s as simple as it sounds. They know that their mind should be guarded under couple NAT systems and couple IDS+IPS since there are couple weird ideas out there on the Internet.

I am asking myself couple times every single day the questions like:

  • How do you want others to treat you when you have some need?
  • Would you want that others will do everything for you?
  • How would a “Plate Of Gold” look like?

And then my IDS+IPS system throws on me a big fat text exception with the header “We are humans, we need others!”.

And indeed this is an IDS+IPS which I didn’t built and every once in a  while I am asking myself, how many digest functions are in there?

  • CRC32
  • MD5
  • SHA1
  • SHA256
  • SHA512
  • SHA1024
  • SHA∞ ?

Is there an AES based one also in there?
And my answer is that I do not know what’s in there but I can see some “reflection” of something greater and better. Then I start to wonder, why all these clients wants their so well formed and solid and mature mind to be proxied using any solution? Would any human made solution ever match our genes?

I cannot give any “scientific” opinion but I can bring to the table things from others which have more weight then me on them either from life experience or scientific research. These do claim that the human genes are not “perfect” and there for there is always a need to “spice” the human mind and soul in order to allow it some level of progress. The most simple example of humans being affected is that kids tries to learn from their parents and later with time they try to learn from others. This state of learning curve can teach us that genes are not “everything”.

The answer will not always be “Faster” if you will get to the state of understanding and believing that it’s a rocket to your mind that’s hitting using words, pictures, tables, shapes and other things.

But!! don’t get paranoid!! Enough that you have another person in the house next to you and you are safe enough to not loose your mind. Enough that there is someone that can be asked directly or using a proxy and this world already feels much better then it was couple seconds ago.

All The Bests,
Eliezer Croitoru

Squid 3.5.12 RPMs release

I am happy to release the new RPMs of squid 3.5.12 for Centos 6 64bit, 32bit and CentOS 7 64bit.

The new release includes couple bug fixes and improvements.
I have also took the time to build the latest beta 4.0.3 RPM for CentOS 7.
The details about the the RPMs repository are at squid-wiki.

Why 3DES (triple DES)? or The fall of DES.

It is known in the cryptography world that since 1997 DES(IE single DES) is vulnerable to some attacks  and there for is being considered to be unsafe for some uses. In order to resolve the DES issues the 3DES was implemented due to the ability to use the same fast cryptography machinery\chips that was used before and by that giving some time to the industry to find another more fit solution.
Some words about the DES encryption from Professor Gideon Samid:

Hashing compared to Encryption

The difference between hashing  to encryption is the ability to recreate the original digested content. Hashes are meant to allow some kind of content validation verification based on the low probability of  math collisions. To give a simple example about the subject we can use the Quadratic Formula:
Quadratic Formula
The formula defines that it is possible (or it is always the right answer) to have two answers to the same question\issue\variables.
Based on the fact\assumption that there is a possibility for two answers\solutions to the same unknowns+function we can use a function to describe more then one number. And in the case of computers which everything is some kind of a number we can convert the unknown numbers to octets.
Once there is no difference between numbers and\or octets and letters and we are in the function computation world. There we can use all sorts of functions\equations in order to describe all sorts of numbers and by that letters.
Eventually hashes are some kind of known functions which implements some way to reflect very big numbers or very big documents in some kind of output .  Technically speaking it’s some function\method that is guaranteed to reflect very big numbers with probability(high or low) that multiple input values  will be reflected with the same output number(128 bits for example).
In many levels of applications some hashes such as crc32\md5\sha-1\others are being used and these applications allow them-self  to validate content integrity with a fully “vulnerable” hash due to the fact that the validated content  do not exceed the function collision sizes.
I must admit that I have used MD5 and many other hashes for a very long time and the only collisions that I have seen that affected real world applications integrity are that of CRC32 hashes, maybe I have not seen enough yet!
And couple expert words from Professor Gideon Samid on hashing:

  • Disclaimer: I am not a cryptography expert!

This RPMs release was tested for:

  • ICAP 204\206 compatibility (non ssl)
  • ECAP passthru adapter which digest response body using SHA256
  • refresh_pattern variations
  • StoreID patterns
  • Basic load testing
  • Basic ssl-bump usage in strict forward proxy mode
  • Basic denial of memory leaks on a long period time of operation
  • Basic build tests

All the above was done on a CentOS 7 x86_64 VMs.
I have not tested everything on CentOS 6 since it is assumed that if it works good on CentOS 7 there should not be a special reason for it to not work on CentOS 6.

More details about the repository at squid-wiki.

All The Bests,
Eliezer Croitoru