On 24/03/2012 1:44 a.m., Michał Wiącek wrote:
You seem to be speaking of a interception gateway filter.
SSL was designed to prevent man-in-the-middle attacks (aka interception)
>from being done.
Mayby i sayd wrong - i do not want intercept , but only decise wchich host
can connect
This is not possible. The URL is inside the encryption. You must decrypt
the traffic in order to even see the URL.
I do not want filter all url , only host, if host is encrypte how routers
know whith host connect?
Ah okay language problems.
The destination IP and port is known from TCP. And when the browser is
configured to use a proxy it sends the domain name as well. But nothing
else is eaisly available for HTTPS.
If I am understanding you right, what you actually want is a whitelist
or blacklist of destinations in the firewall. This would work better
than what Squid can offer with HTTPS.
In both cases you have the same problems of figuring out and listing
what destination IP/host are to be blocked or allowed. The firewall can
do it far faster and simpler though.
Amos
