Hej Henrik, On Wed, 05.07.2006 at 20:11:18 +0200, Henrik Nordstrom <henrik@xxxxxxxxxxxxxxxxxxx> wrote: > With SSL it's more than a conflict. SSL is explicitly designed to not > allow breaking end-to-end. Meaning that breaking end-to-end is only > theoretically possible if the client is configured to trust the proxy as > an SSL CA. Additionally, this will cripple the SSL protocol making it > impossible to use client certificate authentication and also makes it thank you for this good explanation! This begs the question what the commercial pack is doing when clamouring about content security, however. I thought they were claiming to look also inside encrypted traffic to enforce policies. As it stands, usage using client certificates for authentication is probably not mandatory in many cases (eg. when using a random shop site). > impossible for the user/browser to properly verify the requested server > (it has to trust the proxy to do all verifications correctly...) Yes, but the client has to trust the proxy for non-encrypted traffic anyway. Ie, if I want to go to www.ebay.com and get redirected by the proxy to vvv.ebay.com (just a contrived example), it'll be a lot easier to fool me into going to the wrong encrypted site thereafter, too. Mvh, --Toni++
