On 26/03/18 09:49, Yuri wrote: > > > 26.03.2018 02:45, Amos Jeffries пишет: >> On 26/03/18 04:41, Yuri wrote: >>> >>> 25.03.2018 20:32, Matus UHLAR - fantomas пишет: >>>>>>> Le 25/03/2018 à 13:08, Yuri a écrit : >>>>>>>> The problem is not install proxy CA. The problem is identify client >>>>>>>> has no proxy CA and redirect, and do it only one time. >>>>>> On 25.03.18 13:46, Nicolas Kovacs wrote: >>>>>>> That is exactly the problem. And I have yet to find a solution for >>>>>>> that. >>>>>>> >>>>>>> Current method is instruct everyone - with a printed paper in the >>>>>>> office >>>>>>> - to connect to proxy.company-name.lan and then get further >>>>>>> instructions >>>>>>> from the page. This works, but an automatic splash page would be more >>>>>>> elegant. >>>>> 25.03.2018 18:42, Matus UHLAR - fantomas пишет: >>>>>> impossible and unsafe. The CA must be installed before such splash >>>>>> page shows >>>> On 25.03.18 18:44, Yuri wrote: >>>>> Possible. "Safe/Unsafe" should not be discussion when SSL Bump >>>>> implemented already. >>>> it's possible to install splash page, but not install trusted authority >>>> certificate. Using such authority on a proxy is the MITM attack and >>>> whole >>>> SSL has been designed to prevent this. >>> Heh. If SSL designed - why SSL Bump itself possible? ;):-P >> As all our SSL-Bump documentation should be saying: >> >> when TLS is used properly SSL-Bump *does not work*. >> >> A client checking the cert validity and producing _its own_ error page >> about missing/unknown/untrusted CA is one of those cases. Since the >> client is producing the "page" itself there is no possibility of Squid >> replacing that with something else. > Amos, > > squid is irrelevant here. "Used properly" and "Implemented properly", > and, especially, "Designed properly" - which means "Secure by design", > like SSH or The Onion Router. > > HTTPS is *NOT*. > You are missing the point. Sometimes TLS *is* implemented properly. Squid is very relevant here because it is the agent producing the un-verifiable certificate. The certificate is un-verifiable exactly because Squids own CA is being used and the client does not trust that CA. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
