On 26/03/18 13:44, Yuri wrote: > > > 26.03.2018 06:41, Yuri пишет: >> >> 26.03.2018 06:30, Amos Jeffries пишет: >>> On 26/03/18 12:34, Yuri wrote: >>>> 26.03.2018 05:23, Amos Jeffries пишет: >>>>> On 26/03/18 12:07, Yuri wrote: >>>>>> 26.03.2018 05:05, Amos Jeffries пишет: >>>>>>> On 26/03/18 11:05, Yuri wrote: >>> >>> On 26/03/18 12:34, Yuri wrote:> >>>> 26.03.2018 05:23, Amos Jeffries пишет: >>>>> This is what I mean by "TLS used properly" - proper is when it always >>>>> circles back to user deciding who they trust. No matter how indirectly, >>>>> the user installs a (root) CA causing trust or allowed someone else to >>>>> do so. >>>> Generally speaking, yes. >>>> >>>> I just mean, that in some other protocols you have no any possibility to >>>> make MiTM by any way, whenever installing something or not. This >>>> prevents any improper or malicious use of protocol. >>>> >>>> TLS*have* this possibility. SSH is *not*. You can't MiTM or compromise >>>> SSH by installing any key/certs to client. Correct? This is by design? >>> No. SSH is just TCP/telnet over TLS. So if the SSH software were to >>> trust the cert/key Squid delivers one could use SSL-Bump on that SSH >>> traffic. >> You sure? >> >> https://stackoverflow.com/questions/723152/difference-between-ssh-and-ssl-especially-in-terms-of-sftp-vs-ftp-over-ssl >> >> Quote: "SSH has its own transport protocol independent from SSL, so that >> means SSH DOES NOT use SSL under the hood." >> >> Because I'm not. Different sources tells opposite. > I'm sure SSH using openssl under the hood. But not sure it uses same > tunneling implementation like TLS-over-HTTP. And now it is still unknown > any method to MiTM SSH, AFAIK. I'm not 100% sure, but it uses the same message framing as TLS and performs the same handshake sequence and security verifications. That said *SSL* _is_ different from TLS so the quote is technically correct either way. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
