<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p><br>
</p>
<br>
<div class="moz-cite-prefix">25.03.2018 20:32, Matus UHLAR -
fantomas пишет:<br>
</div>
<blockquote type="cite" cite="mid:20180325143213.GC2303@fantomas.sk">
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">Le 25/03/2018 à 13:08, Yuri a écrit :
<br>
<blockquote type="cite">The problem is not install proxy CA.
The problem is identify client
<br>
has no proxy CA and redirect, and do it only one time.
<br>
</blockquote>
</blockquote>
<br>
On 25.03.18 13:46, Nicolas Kovacs wrote:
<br>
<blockquote type="cite">That is exactly the problem. And I
have yet to find a solution for that.
<br>
<br>
Current method is instruct everyone - with a printed paper
in the office
<br>
- to connect to proxy.company-name.lan and then get further
instructions
<br>
from the page. This works, but an automatic splash page
would be more
<br>
elegant.
<br>
</blockquote>
</blockquote>
</blockquote>
<br>
<blockquote type="cite">25.03.2018 18:42, Matus UHLAR - fantomas
пишет:
<br>
<blockquote type="cite">impossible and unsafe. The CA must be
installed before such splash
<br>
page shows
<br>
</blockquote>
</blockquote>
<br>
On 25.03.18 18:44, Yuri wrote:
<br>
<blockquote type="cite">Possible. "Safe/Unsafe" should not be
discussion when SSL Bump
<br>
implemented already.
<br>
</blockquote>
<br>
it's possible to install splash page, but not install trusted
authority
<br>
certificate. Using such authority on a proxy is the MITM attack
and whole
<br>
SSL has been designed to prevent this.
<br>
</blockquote>
Heh. If SSL designed - why SSL Bump itself possible? ;)<span
class="moz-smiley-s4"><span>:-P</span></span><br>
<blockquote type="cite" cite="mid:20180325143213.GC2303@fantomas.sk">
<br>
without certificate, the browser complains which is a security
measure
<br>
against this.
<br>
</blockquote>
Sure. It should.<br>
<blockquote type="cite" cite="mid:20180325143213.GC2303@fantomas.sk">
<br>
<blockquote type="cite">
<blockquote type="cite">up and in such case the splash page is
irelevant.
<br>
<br>
If you have windows domain, you can force security policy
through it.
<br>
</blockquote>
</blockquote>
<br>
<blockquote type="cite">In enterprise environment with AD, yes.
But hardly in service provider's
<br>
scenarious.
<br>
</blockquote>
<br>
service providers should not do this without users' permission.
<br>
at least not in countries where the privacy is guaranteed by law.
<br>
</blockquote>
Thank you, Captain Obvious. <span class="moz-smiley-s1"><span>:-)</span></span>
Enterprises also should get user agreement before do that.
Especially in BYOD scenarious.<br>
<br>
<span id="result_box" class="" lang="en"><span>All these things are
well known here.</span> <span class="">The question was about
technical implementation, and not about the well-known truisms
in the field of security and privacy (in most cases of
ephemeral).</span></span><br>
<br>
<pre class="moz-signature" cols="72">--
"C++ seems like a language suitable for firing other people's legs."
*****************************
* C++20 : Bug to the future *
*****************************</pre>
</body>
</html>