Re: How to configure a "proxy home" page ?

Yuri <yvoinov@xxxxxxxxx> · Mon, 26 Mar 2018 21:45:04 +0600



    26.03.2018 21:36, Matus UHLAR -
      fantomas пишет:

    
    On
      26.03.18 19:16, Yuri wrote:
      

      Disagree.
        

        My point about TLS is quite different.
        

        SSH, by design, assumes end-to-end encryption and do not assumes
        any
        

        third-party treats as trusty, like TLS does.
        

      actually, the ssh DOES support certificate authorities that sign
      client or
      

      host keys, so you don't need to transfer it over SSH server - it's
      just not
      

      widely used.
      

https://www.ssh.com/ssh/keygen/#sec-Using-X-509-Certificates-for-Host-Authentication
      

    I know such obvious thing. But functionality you described was not
    initially designed in SSH and was added later.

    
      SSH immediately notice you
        

        when server key surprisingly changed.
        

      only when you already have the host key installed in your client.
      If there's
      

      MITM attack before you get the key, you will not notice that,
      unless you
      

      get the key by other (secure) way.
      

    By analogue with TLS - let's imagine I've already been on site. With
    SSH client notify me - "Hey, man, you trying to connect to server
    with .... fingerprint. Add it Yes/No?"

    
    Instead this, TLS never notify me if third-party CA is known to
    client.

    
      unlike SSL, SSH was not designed to be used globally between
      everyone, more
      

      within one or more "friend" organizations, so it didn't specify
      how host
      

      keys are verified (the SSHFP DNS record just transfers trust to
      DNS, which
      

      can be hijacked too).
      

    To be honest, a weak
        argument. A secure connection should
        always be encrypted end-to-end and should not "trusted"
        third-parties as well. Never. Otherwise it is insecure
        connection. IMHO.

      
      Yes, users is involved in both cases.
        However the difference still here.
        

        SSH is end-to-end always by design (we're not talking about
        things like
        

        Kerberos here), TLS is not.
        

      TLS was designed to be end-to-end encryption and the certificate
      authority
      

    As
        Stanislavsky said, "I do not believe it!"

        
        End-to-end encryption and the (trusted third-party)
        certificate authority these are antonyms.

      
    system
      was built to fullfil this.  The bumping proxies, antiviruses, and
      

      application firewalls just break this.
      

    With
        this I can not argue.
    -- 
"C++ seems like a language suitable for firing other people's legs."

*****************************
* C++20 : Bug to the future *
*****************************
  

Attachment:
signature.asc

Description: OpenPGP digital signature
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users