Search squid archive

Re: SSL and ACL, anyone?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hej Henrik,

On Wed, 05.07.2006 at 20:11:18 +0200, Henrik Nordstrom <henrik@xxxxxxxxxxxxxxxxxxx> wrote:
> With SSL it's more than a conflict. SSL is explicitly designed to not
> allow breaking end-to-end. Meaning that breaking end-to-end is only
> theoretically possible if the client is configured to trust the proxy as
> an SSL CA. Additionally, this will cripple the SSL protocol making it
> impossible to use client certificate authentication and also makes it

thank you for this good explanation!

This begs the question what the commercial pack is doing when
clamouring about content security, however. I thought they were
claiming to look also inside encrypted traffic to enforce policies.

As it stands, usage using client certificates for authentication is
probably not mandatory in many cases (eg. when using a random shop
site).

> impossible for the user/browser to properly verify the requested server
> (it has to trust the proxy to do all verifications correctly...)

Yes, but the client has to trust the proxy for non-encrypted traffic
anyway. Ie, if I want to go to www.ebay.com and get redirected by the
proxy to vvv.ebay.com (just a contrived example), it'll be a lot easier
to fool me into going to the wrong encrypted site thereafter, too.


Mvh,
--Toni++


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux