Hi, I am kind of a newbie to SSL, and have been tinkering with squid SSL bumping for https, so bear with me if this question has already been discussed. So here is my understanding of how HTTPS works: a browser has a sort of local repository of trusted certificates, correct? And when you access an HTTPS website it searches through these certificates and determines whether one is to be trusted or not. So I've set up squid for SSL bumping and have added by squid certificate to my browser's list of trusted certificates. However, the way SSL now works is that squid intercepts my HTTPS request and I never actually see the certificate sent from the original server, correct? So what I want to know is how does squid know whether the certificate is valid or not? I am afraid of getting a man-in-the-middle attack since it is squid that verifies certificates and not my client. Or is my understanding incorrect? Does squid have this same list of trusted sources and if not can I set it up myself? -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-ssl-bumping-how-does-squid-verify-certificates-tp4669296.html Sent from the Squid - Users mailing list archive at Nabble.com. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
