[squid-users] How to configure a "proxy home" page ?

Matus UHLAR - fantomas uhlar at fantomas.sk
Tue Mar 27 17:19:56 UTC 2018


>> On 26.03.18 19:16, Yuri wrote:
>>> SSH immediately notice you
>>> when server key surprisingly changed.

>26.03.2018 21:36, Matus UHLAR - fantomas пишет:
>> only when you already have the host key installed in your client. If
>> there's
>> MITM attack before you get the key, you will not notice that, unless you
>> get the key by other (secure) way.

On 26.03.18 21:45, Yuri wrote:
>By analogue with TLS - let's imagine I've already been on site. With SSH
>client notify me - "Hey, man, you trying to connect to server with ....
>fingerprint. Add it Yes/No?"
>
>Instead this, TLS never notify me if third-party CA is known to client.

TLS was designed with periodic key rollout after a time, while SSH was not.
you must take care of it manually, or not atall.

SSH was (apparently) designed with possibility of (semi-)physical access to the
server, so you can verify keys personally.

This is not applicable with TLS, where everyone should be able to
communicate with everyone.

this way SSH is more similar to PGP where users have to exchange their
public keys to be trusted.

(you can get keys from trusted friend which is in fact simmilar to CA).

>> unlike SSL, SSH was not designed to be used globally between everyone,
>> more
>> within one or more "friend" organizations, so it didn't specify how host
>> keys are verified (the SSHFP DNS record just transfers trust to DNS,
>> which
>> can be hijacked too).
>To be honest, a weak argument. A secure connection should always be
>encrypted end-to-end and should not "trusted" third-parties as well.
>Never. Otherwise it is insecure connection. IMHO.

the SSL is encrypted end-to-end. Trusted third-party CAs are just way to
avoid the need of everyone going to every company owning a site for the
server keys once in its lifetime (uaually a year).

even CA doesn't see your communication, unless they make the MITM attack
themselves.

>>> Yes, users is involved in both cases. However the difference still here.
>>> SSH is end-to-end always by design (we're not talking about things like
>>> Kerberos here), TLS is not.

>> TLS was designed to be end-to-end encryption and the certificate
>> authority

>As Stanislavsky said, "I do not believe it!"
>
>End-to-end encryption and the (/trusted third-party/) certificate
>authority these are antonyms.

Well, you can tell this to your clients but the main point - breaking into
users' communication that is supposed to be unbreakable by you - is
something you must explain to your clients and possibly to the lawyers.
-- 
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
We are but packets in the Internet of life (userfriendly.org)


More information about the squid-users mailing list