Bob Proulx <b...@proulx.com> wrote: > Sven Hartge wrote: >> Michael I. wrote:
>>> Is there really no way to redirect https request to an errorpage >>> with squid3+squidguard? >> Long answer: The only way is to setup a transparent proxy, >> intercepting any outbound connection and terminating the encryption >> on the proxy. You will need a fake CA certificate with which the >> proxy is able to create fake server certificates so the client still >> thinks it is connected to the real server. >> >> And here it gets a) dangerous and b) expensive. > It is extremely bad, bad, bad, as well as dangerous. I haven't been > following the news in great detail but read all about Komodia's recent > news articles. Komodia's cracking tools are used in Superfish and > Lenovo was in trouble for pre-installing Superfish. There are network policy/security appliances in the enterprise world, which implement a scanning proxy for HTTPS. They come with a either a wildcard certificate for * (signed by a valid CA!) or a fake CA certificate, which you install onto your computers to enable the appliance to function. This is of course very dangerous if you don't know what you are doing, but sometimes there are no other options (for example HIPAA, SOX, PCI, ...) if you have to absolutley control the flow and content of data. But then, if you are in the area where you need such MitM-Filter-SSL-breaking-proxies, then you already know of how to do it and when to do it. If you don't know how to do it and when to do it, chances are, you don't need it. Guessing from Michaels TLD, he is German. This means there are several other things to consider, based on the environment this is done in. If this is for a company or govermental agency, the Betriebsrat (works council) or the Personlrat and the local Datenschutzbeauftragter (data security official) has to be involved. Grüße, Sven. -- Sigmentation fault. Core dumped. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/kbfqc92ro...@mids.svenhartge.de
