[squid-users] How to configure a "proxy home" page ?

Mon Mar 26 01:12:44 UTC 2018


26.03.2018 07:08, Amos Jeffries пишет:
> On 26/03/18 13:44, Yuri wrote:
>>
>> 26.03.2018 06:41, Yuri пишет:
>>> 26.03.2018 06:30, Amos Jeffries пишет:
>>>> On 26/03/18 12:34, Yuri wrote:
>>>>> 26.03.2018 05:23, Amos Jeffries пишет:
>>>>>> On 26/03/18 12:07, Yuri wrote:
>>>>>>> 26.03.2018 05:05, Amos Jeffries пишет:
>>>>>>>> On 26/03/18 11:05, Yuri wrote:
>>>> On 26/03/18 12:34, Yuri wrote:>
>>>>> 26.03.2018 05:23, Amos Jeffries пишет:
>>>>>> This is what I mean by "TLS used properly" - proper is when it always
>>>>>> circles back to user deciding who they trust. No matter how indirectly,
>>>>>> the user installs a (root) CA causing trust or allowed someone else to
>>>>>> do so.
>>>>> Generally speaking, yes.
>>>>>
>>>>> I just mean, that in some other protocols you have no any possibility to
>>>>> make MiTM by any way, whenever installing something or not. This
>>>>> prevents any improper or malicious use of protocol.
>>>>>
>>>>> TLS*have* this possibility. SSH is *not*. You can't MiTM or compromise
>>>>> SSH by installing any key/certs to client. Correct? This is by design?
>>>> No. SSH is just TCP/telnet over TLS. So if the SSH software were to
>>>> trust the cert/key Squid delivers one could use SSL-Bump on that SSH
>>>> traffic.
>>> You sure?
>>>
>>> https://stackoverflow.com/questions/723152/difference-between-ssh-and-ssl-especially-in-terms-of-sftp-vs-ftp-over-ssl
>>>
>>> Quote: "SSH has its own transport protocol independent from SSL, so that
>>> means SSH DOES NOT use SSL under the hood."
>>>
>>> Because I'm not. Different sources tells opposite.
>> I'm sure SSH using openssl under the hood. But not sure it uses same
>> tunneling implementation like TLS-over-HTTP. And now it is still unknown
>> any method to MiTM SSH, AFAIK.
> I'm not 100% sure, but it uses the same message framing as TLS and
> performs the same handshake sequence and security verifications.
This is not the same as transport, yes? Because of transport is primary
target for bumping.
>
> That said *SSL* _is_ different from TLS so the quote is technically
> correct either way.
It seems to me that the difference is not of principle. Both SSL and TLS
use the same architecture, in which, in principle, it is possible to
have an MiTM certificate, which one of the parties trusts.
>
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-- 
"C++ seems like a language suitable for firing other people's legs."

*****************************
* C++20 : Bug to the future *
*****************************

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20180326/840b6467/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: OpenPGP digital signature
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20180326/840b6467/attachment.sig>