[cc'ing to debian-user since this is about the 15th time i am answering this question... which i am glad to do, don't get me wrong!]
* Phillip Deackes <[EMAIL PROTECTED]> [2001.11.04 19:16:14+0000]: > Thanks, Martin. Could you explain a little more, please. I am > primarily a teacher, so only have a certain level of networking > expertise. I am not sure how I would put your advice into practise. > I understand in principle - port 443 carries ssl traffic, port 80 > carries all the normal http traffic. I need to tell squid to deal > with port 80 traffic only. How would I make squid forward ssl > requests to our external proxy? HTTPS (HTTP over SSL, port 443) is encrypted traffic building on Diffie-Hellman certificates. These help to ensure identity of the server as well as disclosing the real data from third-parties by encrypting them. think about it: (a) iff squid were able to cache HTTPS data, it would mean it has to be able to decrypt that traffic. if squid can decrypt it, so could everyone else. (yes, i know, SSL has been cracked. ergo: TLS). DH certificates are pairs on all counts, there is no way to introduce a third key into the encryption scheme (as it *is* possible with RSA/DSA asymmetric encryption as used e.g. by PGP/GPG). (b) you could possibly tell squid to be the other side, so that the encryption channel exists between you and squid, and that squid creates a new encrypted tunnel to the actual server. this is a horrible scenario, as presumably the client will not know about encryption failures between squid and the real server. (c) if (b) is in effect, then the only certificate you'll ever see if that of squid's HTTPS caching, which means that the client (you) can never ensure that s/he is connected to the right system. this is opening up the doors for IP spoofing and connection hijacking... (d) SSL encrypted traffic is mostly dynamic, meaning it can't be cached anyway. does this make sense? -- martin; (greetings from the heart of the sun.) \____ echo mailto: !#^."<*>"|tr "<*> mailto:"; [EMAIL PROTECTED] if you don't understand or are scared by any of the above ask your parents or an adult to help you.
pgpOBHTwGfP4c.pgp
Description: PGP signature
