In principle, I do not consider as secure the technology that allows MiTM (even in theory) - anyway, for what purpose.
Since this is so - HTTPS is nothing more than a security theater with a green lock for calming users. This does not mean that I do not care about the security and privacy of users. But I provide it somewhat differently, carefully protecting the proxy itself, its infrastructure and its cache. 25.03.2018 21:41, Yuri пишет: > > > > 25.03.2018 20:32, Matus UHLAR - fantomas пишет: >>>>> Le 25/03/2018 à 13:08, Yuri a écrit : >>>>>> The problem is not install proxy CA. The problem is identify client >>>>>> has no proxy CA and redirect, and do it only one time. >>>> >>>> On 25.03.18 13:46, Nicolas Kovacs wrote: >>>>> That is exactly the problem. And I have yet to find a solution for >>>>> that. >>>>> >>>>> Current method is instruct everyone - with a printed paper in the >>>>> office >>>>> - to connect to proxy.company-name.lan and then get further >>>>> instructions >>>>> from the page. This works, but an automatic splash page would be more >>>>> elegant. >> >>> 25.03.2018 18:42, Matus UHLAR - fantomas пишет: >>>> impossible and unsafe. The CA must be installed before such splash >>>> page shows >> >> On 25.03.18 18:44, Yuri wrote: >>> Possible. "Safe/Unsafe" should not be discussion when SSL Bump >>> implemented already. >> >> it's possible to install splash page, but not install trusted authority >> certificate. Using such authority on a proxy is the MITM attack and >> whole >> SSL has been designed to prevent this. > Heh. If SSL designed - why SSL Bump itself possible? ;):-P >> >> without certificate, the browser complains which is a security measure >> against this. > Sure. It should. >> >>>> up and in such case the splash page is irelevant. >>>> >>>> If you have windows domain, you can force security policy through it. >> >>> In enterprise environment with AD, yes. But hardly in service >>> provider's >>> scenarious. >> >> service providers should not do this without users' permission. >> at least not in countries where the privacy is guaranteed by law. > Thank you, Captain Obvious. :-) Enterprises also should get user > agreement before do that. Especially in BYOD scenarious. > > All these things are well known here. The question was about technical > implementation, and not about the well-known truisms in the field of > security and privacy (in most cases of ephemeral). > > -- > "C++ seems like a language suitable for firing other people's legs." > > ***************************** > * C++20 : Bug to the future * > ***************************** -- "C++ seems like a language suitable for firing other people's legs." ***************************** * C++20 : Bug to the future * *****************************
signature.asc
Description: OpenPGP digital signature
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
