> On Oct 19, 2017, at 8:36 AM, Adam Cage <adamcag...@gmail.com> wrote:
> 
> Dear Volker and others,
> 
> If I just inspect on host name only, do I have to create a CA and
> Certificate to install in the proxy server of pfSense anyway ???
> 
> Thnks a lot,
> 
> ADAM

You do have to create a CA and tell squid to use it but it is not used to spin 
up certificates and it does not have to be installed to the clients’ trusted 
stores if you are only using peek/splice.

I am not sure if the requirement is due to the GUI form or squid itself. End 
result is the same regardless.


> 

> 2017-10-12 17:24 GMT-03:00 Volker Kuhlmann <hid...@paradise.net.nz>:
> 
>> On Fri 13 Oct 2017 08:15:20 NZDT +1300, Adam Cage wrote:
>> 
>>> This is useful to filter facebook, twitter, gmail and other HTTPS sites,
>>> just taking into account the URL ??? What can't I block for example ???
>> 
>> Look at squidguard rules - they're in 3 sections: hosts only, URLs, and
>> general regexp. With http all 3 of them work (within the bugginess of
>> squidguard and pfsense anyway).
>> 
>> With https the URL is encrypted, except for the host name part. I.e. the
>> SSL connection to the server is established on the host part only, and
>> the client sends the full URL only over the SSL connection once
>> established.
>> 
>> So you have 2 options for https:
>> 
>> 1) Full MITM attack, requiring client cert installs on all clients so
>> that the clients establish encrypted connections with the key of your
>> attack server (aka firewall) instead, and you have a chance of
>> inspecting the content.
>> 
>> 2) Inspect on host name only, that part is not encrypted.
>> 
>> As everything is moving to http it's becoming seriously difficult to use
>> squidguard as outgoing filter to get rid of all the shitvertising and
>> privacy invading user tracking rubbish (which wastes my time, bandwidth
>> and money for absolutly zero gain to me).
>> 
>> Volker
>> 
>> --
>> Volker Kuhlmann                 is list0570 with the domain in header.
>> http://volker.top.geek.nz/      Please do not CC list postings to me.
>> _______________________________________________
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
>> 
> _______________________________________________
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold

_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Reply via email to