On 28/07/14 05:15, Alex Crow wrote: > > You need to create your own CA, import the CA cert into your client > browsers (which will get rid of the warning) and use the key to do > dynamic cert generation in squid. Then it is possible to do either > WPAD based browser config, or, I think (harder) do TPROXY with bumping. > > NB unless you can import your own CA cert into all client browsers you > *WILL* get certificate validation failures in the browser. > It's also a bit harder than that. Google chrome uses cert pinning to ensure any time Chrome goes to any Google https site, that the server cert is signed by the CA that Google knows it was signed by. This means MITM SSL interception is noticed by Chrome and it shrieks and screams :-) So even with SSL interception, you need to create an "exception acl" of sites that are not to be fiddled with - which entirely undoes the reason for doing intercept in the first place(*) - or somehow ban the use of Chrome I do wonder where this will end. How long before Firefox starts pinning, then MSIE, then it gets generalized, etc? (*) Being able to view Cloud-provider HTTPS content is actually one of the primary reasons I want to do SSL interception. In the past year we've seen a major uptick in malware being delivered to clients via https (Amazon, Google, Dropbox), and being able to get an AV filter in there would really help. Unfortunately, Google has this thing about trying to stop nasty governments from spying on their citizens (ie both motivations are justified, but diametrically opposed) -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
