Therefore,
please, PLEASE, never mention SSL Bump and security/privacy in
one letter.O:-)
These
are mutually exclusive concepts.
Just like HTTPS and security.
25.03.2018 22:00, Yuri пишет:
In principle, I do not consider as secure the technology that
allows MiTM (even in theory) - anyway, for what purpose.
Since this is so - HTTPS is nothing more than a security
theater with a green lock for calming users.
This does not mean that I do not care about the security and
privacy of users. But I provide it somewhat differently,
carefully protecting the proxy itself, its infrastructure and
its cache.
25.03.2018 21:41, Yuri пишет:
25.03.2018 20:32, Matus UHLAR -
fantomas пишет:
Le 25/03/2018 à 13:08, Yuri a
écrit :
The problem is not install proxy
CA. The problem is identify client
has no proxy CA and redirect, and do it only one time.
On 25.03.18 13:46, Nicolas Kovacs wrote:
That is exactly the problem. And I
have yet to find a solution for that.
Current method is instruct everyone - with a printed
paper in the office
- to connect to proxy.company-name.lan and then get
further instructions
from the page. This works, but an automatic splash page
would be more
elegant.
25.03.2018 18:42, Matus UHLAR -
fantomas пишет:
impossible and unsafe. The CA must
be installed before such splash
page shows
On 25.03.18 18:44, Yuri wrote:
Possible. "Safe/Unsafe" should not be
discussion when SSL Bump
implemented already.
it's possible to install splash page, but not install trusted
authority
certificate. Using such authority on a proxy is the MITM
attack and whole
SSL has been designed to prevent this.
Heh. If SSL designed - why SSL Bump itself possible? ;):-P
without certificate, the browser complains which is a security
measure
against this.
Sure. It should.
up and in such case the splash page
is irelevant.
If you have windows domain, you can force security policy
through it.
In enterprise environment with AD,
yes. But hardly in service provider's
scenarious.
service providers should not do this without users'
permission.
at least not in countries where the privacy is guaranteed by
law.
Thank you, Captain Obvious. :-)
Enterprises also should get user agreement before do that.
Especially in BYOD scenarious.
All these things
are well known here. The question was
about technical implementation, and not about the well-known
truisms in the field of security and privacy (in most cases
of ephemeral).
--
"C++ seems like a language suitable for firing other people's legs."
*****************************
* C++20 : Bug to the future *
*****************************
--
"C++ seems like a language suitable for firing other people's legs."
*****************************
* C++20 : Bug to the future *
*****************************
--
"C++ seems like a language suitable for firing other people's legs."
*****************************
* C++20 : Bug to the future *
*****************************
|
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users