26.03.2018 05:23, Amos Jeffries пишет:
I could not make such a stupid idea. It does not work out that way. The user is always asked whether trust the installing CA certificate.On 26/03/18 12:07, Yuri wrote:26.03.2018 05:05, Amos Jeffries пишет:On 26/03/18 11:05, Yuri wrote:And yes, HTTPS is insecure by design and all our actions does not it less insecure :-DWe are not talking about HTTPS. Only about TLS. Because the TLS decrypt is what is "failing" at the time any of these details we are discussing are relevant. The "page" mentioned is HTML created by the _client_ as its way to show the user things. Still no HTTP(S) involvement. Squid has zero involvement with that so cannot make it do anything active (like install CA certs).Exactly. Users do. And we're almost have all required tools to implement user'driven helper ;)Yet again you are circled back to involving the user. Remember the original point was trying to do things *without any user* knowing or being involved. The only way known for me to make this silently - using AD group policy. AFAIK, we're discussing usual way with catch error and redirect to page. No more. Captive Portal, Splash, ACL etc. Generally speaking, yes.This is what I mean by "TLS used properly" - proper is when it always circles back to user deciding who they trust. No matter how indirectly, the user installs a (root) CA causing trust or allowed someone else to do so. I just mean, that in some other protocols you have no any possibility to make MiTM by any way, whenever installing something or not. This prevents any improper or malicious use of protocol. TLS have this possibility. SSH is not. You can't MiTM or compromise SSH by installing any key/certs to client. Correct? This is by design? Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users -- "C++ seems like a language suitable for firing other people's legs." ***************************** * C++20 : Bug to the future * ***************************** |
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users