Search squid archive

Re: How to configure a "proxy home" page ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



26.03.2018 02:45, Amos Jeffries пишет:
On 26/03/18 04:41, Yuri wrote:


25.03.2018 20:32, Matus UHLAR - fantomas пишет:

Le 25/03/2018 à 13:08, Yuri a écrit :

The problem is not install proxy CA. The problem is identify client
has no proxy CA and redirect, and do it only one time.

On 25.03.18 13:46, Nicolas Kovacs wrote:

That is exactly the problem. And I have yet to find a solution for
that.

Current method is instruct everyone - with a printed paper in the
office
- to connect to proxy.company-name.lan and then get further
instructions
from the page. This works, but an automatic splash page would be more
elegant.


          

            
25.03.2018 18:42, Matus UHLAR - fantomas пишет:


            

              
impossible and unsafe. The CA must be installed before such splash
page shows


            

          

          
On 25.03.18 18:44, Yuri wrote:


          

            
Possible. "Safe/Unsafe" should not be discussion when SSL Bump
implemented already.


          

          
it's possible to install splash page, but not install trusted authority
certificate.  Using such authority on a proxy is the MITM attack and
whole
SSL has been designed to prevent this.


        

        
Heh. If SSL designed - why SSL Bump itself possible? ;):-P


      

      
As all our SSL-Bump documentation should be saying:

   when TLS is used properly SSL-Bump *does not work*.

A client checking the cert validity and producing _its own_ error page
about missing/unknown/untrusted CA is one of those cases. Since the
client is producing the "page" itself there is no possibility of Squid
replacing that with something else.

    

    Amos,

    

    squid is irrelevant here. "Used properly" and "Implemented
    properly", and, especially, "Designed properly" - which means
    "Secure by design", like SSH or The Onion Router.

    

    HTTPS is NOT.

    

    Security should not be dependent from client/user behaviour. For
    example, End-to-end security in IM. It is completely independent
    from user.

    

    If HTTPS permits MiTM in theory and practice by any manner - it is
    insecure by design. Point.

    

    

      

Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users


    

    

    
-- 
"C++ seems like a language suitable for firing other people's legs."

*****************************
* C++20 : Bug to the future *
*****************************

  


Attachment:
signature.asc

Description: OpenPGP digital signature


_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users






















[Index of Archives]
 
 
[Linux Audio Users]
 
 
[Samba]
 
 
[Big List of Linux Books]
 
 
[Linux USB]
 
 
[Yosemite News]


















 
Powered by Linux