26.03.2018 15:33, Matus UHLAR -
fantomas пишет:
Le 25/03/2018 à 13:08, Yuri a
écrit :
The problem is not install proxy
CA. The problem is identify client
has no proxy CA and redirect, and do it only one time.
On 25.03.18 13:46, Nicolas Kovacs wrote:
That is exactly the problem. And I
have yet to find a solution for
that.
Current method is instruct everyone - with a printed
paper in the
office
- to connect to proxy.company-name.lan and then get
further
instructions
from the page. This works, but an automatic splash page
would be more
elegant.
25.03.2018 18:42, Matus UHLAR -
fantomas пишет:
impossible and unsafe. The CA must
be installed before such splash
page shows
On 25.03.18 18:44, Yuri wrote:
Possible. "Safe/Unsafe" should not be
discussion when SSL Bump
implemented already.
25.03.2018 20:32, Matus UHLAR - fantomas
пишет:
it's possible to install splash page,
but not install trusted authority
certificate. Using such authority on a proxy is the MITM
attack and
whole
SSL has been designed to prevent this.
On 25.03.18 21:41, Yuri wrote:
Heh. If SSL designed - why SSL Bump itself
possible? ;):-P
it's not, you must break throught it to allow ssl-bump by
installing your
CA certificate. You haven't explained how to do that
automatically although
you claim it's possible.
Please provide evidence.
Waaaaaaa. No. My misunderstanding. Of course, not automatically.
without certificate, the browser
complains which is a security measure
against this.
Sure. It should.
and it does. unless you tweak it not to, which must be configured
manually
(please provide evidence if not).
Exactly. I'm talking only about it. My misunderstanding.
up and in such case the splash page
is irelevant.
If you have windows domain, you can force security policy
through it.
In enterprise environment with AD,
yes. But hardly in service provider's
scenarious.
service providers should not do this without users'
permission.
at least not in countries where the privacy is guaranteed by
law.
Thank you, Captain Obvious. :-)
Enterprises also should get user
agreement before do that. Especially in BYOD scenarious.
All these things are well known here. The question was about
technical
implementation, and not about the well-known truisms in the
field of
security and privacy (in most cases of ephemeral).
maybe you know that, but many of people asking for ssl bump how-to
do not
know that.
A bit disagree.
This has
been repeated so many times here and in Wiki that it's hard to
imagine that someone does not already know this.
--
"C++ seems like a language suitable for firing other people's legs."
*****************************
* C++20 : Bug to the future *
*****************************
|
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users