26.03.2018 02:45, Amos Jeffries пишет: > On 26/03/18 04:41, Yuri wrote: >> >> 25.03.2018 20:32, Matus UHLAR - fantomas пишет: >>>>>> Le 25/03/2018 à 13:08, Yuri a écrit : >>>>>>> The problem is not install proxy CA. The problem is identify client >>>>>>> has no proxy CA and redirect, and do it only one time. >>>>> On 25.03.18 13:46, Nicolas Kovacs wrote: >>>>>> That is exactly the problem. And I have yet to find a solution for >>>>>> that. >>>>>> >>>>>> Current method is instruct everyone - with a printed paper in the >>>>>> office >>>>>> - to connect to proxy.company-name.lan and then get further >>>>>> instructions >>>>>> from the page. This works, but an automatic splash page would be more >>>>>> elegant. >>>> 25.03.2018 18:42, Matus UHLAR - fantomas пишет: >>>>> impossible and unsafe. The CA must be installed before such splash >>>>> page shows >>> On 25.03.18 18:44, Yuri wrote: >>>> Possible. "Safe/Unsafe" should not be discussion when SSL Bump >>>> implemented already. >>> it's possible to install splash page, but not install trusted authority >>> certificate. Using such authority on a proxy is the MITM attack and >>> whole >>> SSL has been designed to prevent this. >> Heh. If SSL designed - why SSL Bump itself possible? ;):-P > As all our SSL-Bump documentation should be saying: > > when TLS is used properly SSL-Bump *does not work*. > > A client checking the cert validity and producing _its own_ error page > about missing/unknown/untrusted CA is one of those cases. Since the > client is producing the "page" itself there is no possibility of Squid > replacing that with something else. Amos,
squid is irrelevant here. "Used properly" and "Implemented properly", and, especially, "Designed properly" - which means "Secure by design", like SSH or The Onion Router. HTTPS is *NOT*. Security should not be dependent from client/user behaviour. For example, End-to-end security in IM. It is completely independent from user. If HTTPS permits MiTM in theory and practice by any manner - it is insecure by design. Point. > > Amos > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users -- "C++ seems like a language suitable for firing other people's legs." ***************************** * C++20 : Bug to the future * *****************************
signature.asc
Description: OpenPGP digital signature
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users