On Tue, Feb 16, 2010 at 7:17 AM, Matus UHLAR - fantomas <uhlar@xxxxxxxxxxx> wrote: > On 14.02.10 18:30, Andres Salazar wrote: >> Iam trying to configure SSLbump so that I can use squid in transparent >> mode and redirect with iptables/pf port 443 and 80 to squid. Why transparent? > Are you aware of all security concerns when intercepting HTTPS connections? > > ...I just wonder when will first proactive admin (or someone from his managers) sent > to prison because of breaking into users connections. Laws vary by country. At least in the US, SSL-Intercepting admins are much more likely to face civil liability than any sort of criminal charge. So no prison, just bankruptcy. With the requirement to load a public key on the machine being intercepted, generally this is only deployed in situations where the owner of the proxy also already "owns" the user machine. I'm using a commercial tool which gets around the headaches and legal issues by inspecting the HTTPS outbound data on the client, before it gets encrypted. This "agent" only works with IE/Firefox.
