[squid-users] Encrypt CONNECT Header
Amos Jeffries
squid3 at treenet.co.nz
Thu May 7 00:10:49 UTC 2020
Alex has already covered the main point for your issue. The below are
details I think it worth you spending some time on in addition to the
encryption.
On 7/05/20 3:18 am, Matus UHLAR - fantomas wrote:
> On 05.05.20 17:29, Ryan Le wrote:
>> Proxy-Authorization is of concern here. Most modern browsers now support
>> PAC with HTTPS versus PROXY.
>
It sounds like you know something about the browser support. If you have
any more information than we document at
<https://wiki.squid-cache.org/Features/HTTPS#Encrypted_browser-Squid_connection>
please mention it.
>
>> The Proxy-Authorization can carry the Basic Auth (and NTLM) credentials
>> which is of concern currently since all users are mobile.
Only if the proxy explicitly requests those credentials. It is highly
recommended that you upgrade any insecure authentication protocols
regardless of whether TLS is used.
NTLM is the worst auth scheme and has been superseded by Kerberos
decades ago. Please at least upgrade that.
Amos
More information about the squid-users
mailing list