|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 24.08.2016 19:24, Antony Stone пишет: > On Wednesday 24 August 2016 at 14:35:03, Yuri Voinov wrote: > >>>> Then I do not understand what he wants op. >> >> http://wiki.squid-cache.org/Features/HTTPS#Encrypted_browser-Squid_connecti >> on >> >>> Secure connection to squid proxy without need for anything else (on >>> client side) than configuring proxy in browser. >> >>> Using provided signed certificates. >>> No SSL-bumping or whatever just forwarding. >> >> Firstly, the concept is not safe. Users will have a secure connection to >> the proxy > > Yes, that is all the OP is looking for. > >> as well as the next? > > Once it leaves the OP's network I suspect the risk (of eavesdropping etc) is > reduced. > >> HTTP? User misled green padlock, > > I do not think the browser will show an SSL/TLS padlock for a secured proxy > connection - it only shows this for a secured connection to the destination > server. Therefore no misled users. > >> believes all secure connection - as external traffic is not encrypted >> after the fact. Second. You seriously think that the world will sit >> under HTTPS? What, for example, you want to protect on news sites? > > I don't understand what you are saying here. May be some misunderstanding here. If we are talking about encryption, just authentication proxy - is one thing. If encryption of all client traffic at all only to the proxy, not caring about what happens to it next - is another. > > The connection across the local network between browser and proxy is secured. > > Beyond that everything works across the Internet just as normal - HTTP sites > are not secured, HTTPS sites are secured. The user sees SSL padlock and > certificate chain for HTTPS sites, nothing for HTTP sites. > > So, the design is more secure over the local network than the standard > arrangement, and exactly the same beyond the local network. Correct LAN design solves most of these problems. > > > No security is being compromised or downgraded. Not sure. > > > > Antony. > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJXvaF5AAoJENNXIZxhPexG7MMH/RYfzKl3PMQFBtbjZ8jg6Jra 4dtgJifJTLjSsF0NSqRtT/iZ8KpW3SrSJ+10Ht9IoVbjGiAL8p8/FMLh8/ImTmqJ QxqI0ovLgj/YuHoxlm4U25L7NG0amzUTINhNXRw79Yvp5RxNEyAmfFpy0mAfD34h ClXQQeWsCalS8Wz7yGqpgp28T9m86l3BNe+SoP+Q1/tfIkopcGD4Hz32N32J/Bsm Wen8JMW2f6BAa0mIbb+tV9q1dI5stommTtprCzi8kAtzqX2bbBt3Nnz+xXQWZmwZ tEO9CsLN4fTSUGILLQG2Bv5ZyT0tAFvhxzCBoz8hpBO+NcIPkm5OgkzpGe32/NA= =A9CF -----END PGP SIGNATURE----- |
Attachment:
0x613DEC46.asc
Description: application/pgp-keys
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
