[squid-users] How to have squid as safe as (e.g.) firefox?
Alex Rousskov
rousskov at measurement-factory.com
Thu Aug 13 20:23:44 UTC 2015
On 08/12/2015 03:20 PM, Jeremie Rafin wrote:
> -while using squid, is it possible to have a SSL/HTTPS level of
> security at least as high as with a reference like firefox?
With a custom certificate validation helper, Squid can match and exceed
default browser protections when it comes to certificate validation. As
you probably know already, with that helper, _you_ control which server
certificates are distrusted:
http://www.squid-cache.org/Doc/config/sslcrtvalidator_program/
http://wiki.squid-cache.org/Features/AddonHelpers#SSL_server_certificate_validator
AFAIK, it is very difficult to write and maintain a good validator. If
you cannot find an existing one that meets your needs and you are not an
SSL expert, then you probably should not try to write one. I am not
aware of any validators or libraries you can reuse, but that does not
mean they do not exist. If nothing like this exists, there is probably
an open source project and/or business opportunity here!
Without a custom validator, Squid validation is pretty much as good as
your OpenSSL installation, which can be better or worse than a specific
browser installation.
Good luck,
Alex.
More information about the squid-users
mailing list