Hi, just jumped into SSLBump/Split features some months ago. I don't find these features harmful. Especially when protecting your children from access of YouTube or other possibly harmful sites. Once you are logged with Google account they redirect your communication to https which makes the inspection not possible. The Squid's SSLBump/Split (whose name in latest version SslPeekAndSplice) is the only feature which will make the inspection happen. This means there are still some cases where this feature is very helpful and the only one freely available.
-- Peter Viskup On Thu, Mar 26, 2015 at 12:58 PM, Sven Hartge <s...@svenhartge.de> wrote: > Michael I. <linux-michae...@abwesend.de> wrote: > > > But I have a new problem, I want to have a transparent proxy for http > > this works fine but when I add the iptables rule for https the loading > > won't work. > > Of course not. That this is not working is the _whole point_ of any > end-to-end encrypted connection. > > What you are effectivly trying to do is an Man-in-the-Middle "attack". > > You cannot transparently proxy *any* encrypted connection without major > trickery, like I wrote in my first mail. You would need a fake CA > certificate (why this is a _very_ bad idea you just have to look at the > latest CNNIC and MSC debacle: (sorry, German URL) > < > https://www.psw-group.de/blog/cnnic-signiert-falsche-google-zertifikate/2112 > > > or > < > http://www.heise.de/security/meldung/Google-deckt-erneut-Missbrauch-im-SSL-Zertifizierungssystem-auf-2583414.html>), > and have your proxy terminate the end-to-end encryption by issuing a fake > certificate on the fly, so that the client is satisfied and then create > another new encrypted connection to the intended end-point. > > There _are_ security appliances out there which work in that way but > they are considered _very_ *very* bad practice and should be avoided at > all costs. > > Grüße, > Sven. > > -- > Sigmentation fault. Core dumped. > > > -- > To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact > listmas...@lists.debian.org > Archive: https://lists.debian.org/11bg3gmtro...@mids.svenhartge.de > >
