> > I have been toying with the idea of making Squid a "man-in-the-middle" > https proxy, decrypting the requests and encrypting them again in a new > SSL session. But haven't found sufficient motivation to implement this > yet.. > > This obviously pretty much nullifies the end-to-end security of SSL > transactions as they have to fully trust the proxy as an CA, but there > is many environments where this isn't an issue and it's more important > to be able to filter and inspect the https traffic. > > - Inspecting HTTPS is an ever increasing issue, in today's internet, because viruses e.d. can't be seen in encrypted streams. Bluecoat proxies offer this possibility too, as a man-in-the-middle decrypter and encrypter. My bank , however, provides me with a ssl based key, with strong encryption, for accessing it's web-banking application. I'd be very ware however, to let this happen, via in-between-decrypting- encrypting ssl proxies; yet allone that in this case this won't be possible because the remote CA, will wan't to see my certificate and none-other. Even without, I'd be wary, see-ing Hendrik with pina-colada in the Bahama's on what was eventually, my now, empty bank account ... :-) :-) M.
