-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 And also: As long as you stay in the white robes, the whole world supports the illusion of security HTTPS. The world has changed in the eyes of the past three years. And by the way, your branch 3.4 has long been used in commercial solutions. Doing the bump. The illusion of security is much worse insecurity. Is not it time to admit it? 06.07.15 19:34, adam900710 пишет: > 2015-07-06 20:06 GMT+08:00 Amos Jeffries <squid3@xxxxxxxxxxxxx>: >> On 6/07/2015 9:30 p.m., adam900710 wrote: >>> >>> Here is some of my experiments: >>> 1) Remove "never_direct" >>> Then ssl_bump works as expected, but all traffic doesn't goes through >>> the SOCKS5 proxy. So a lot of sites I can't access. >>> >>> 2) Use local 8118 proxy >>> That works fine without any problem, but SSL_dump is needed... >>> So just prove privoxy are working. >>> >>> Any clue? >> >>> Also, If I disable "ssl_bump" at http_port line, squid works without >>> any problem just as a forwarder. >>> But that makes no sense anyway. >> >> Makes perfect sense. Would you like anybody to be able to decrypt your >> HTTPS traffic and send it as plain-text wherever they want? >> >> Squid does not permit that. All inbound encrypted traffic must one way >> or another leave upstream only by encrypted channels. > Agree with Yuri, I hate the government (Yeah, especially the f**king > China gov!) and > the evil Chinese one has alreayd tried this trick on gmail some month ago. > > That's who forces me to pass the traffic to privoxy, as the Great > Firewall is already > blocking me to reach most sites in the open world. > > Also you get a little confused with ssl dump and encryption/authentication. > > SSL bump in fact doesn't do the black magic to magically decrypt > everything without cost. > PKI things still makes you know that some one is bump your SSL communication. > > So normally with SSL bump, you will see a big browser warning about > the unknown issuer of > the faked certificates. > And normal routine like curl will just abort the connection when it > found the certificate is not valid. > > Although the communication lost the encryption, you can still know you > are under monitoring. > And this implement needs you to trust the fake CA. > If one doesn't trust it, just blacklist the fake CA and use tor or > whatever to really hide the trace. > > So although the ssl bump destory encryption, but it doesn't destory > authentication. > And the combination of ssl bump and cache peer should be allowed if no > bugs or my configuration error. > > Thanks. >> >> Amos >> >> _______________________________________________ >> squid-users mailing list >> squid-users@xxxxxxxxxxxxxxxxxxxxx >> http://lists.squid-cache.org/listinfo/squid-users > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJVmodEAAoJENNXIZxhPexGK10IAImDjOVFy+W+v1IFKg8KVZzW dbdQu00RnpOxKyEf9mQHb27DX674mr7LxxOHmXEpttPd2EdRERVveViJNOw0Hs1B LeSeqp9D9ZvP4lqyVLdvJTqCzvF1TbFKF7Xc8S5olUrI4yOsvDIdpLqZ3emFqIQd rXgdM8FJtxTMf/qgPfkJMfVS8zyo1CMeAxlMayTzwdvk6E7IGUk2CyEG7XKDjzrd Lp89qUk6vpuzHoirVefFKq4M/TPLtSeL1647MiIP5L5Do6nREYXNlYn5IywZTEQC 6rn81G+g+vIbRdASBPtVQ1tWI6HD3oD9j2965DNdgIkmjwfG47Kotam6tHftBwA= =qyX/ -----END PGP SIGNATURE----- _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users