<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>In principle, I do not consider as secure the technology that
allows MiTM (even in theory) - anyway, for what purpose.</p>
<p>Since this is so - HTTPS is nothing more than a security theater
with a green lock for calming users.<br>
<br>
This does not mean that I do not care about the security and
privacy of users. But I provide it somewhat differently, carefully
protecting the proxy itself, its infrastructure and its cache.<br>
</p>
<br>
<div class="moz-cite-prefix">25.03.2018 21:41, Yuri пишет:<br>
</div>
<blockquote type="cite"
cite="mid:2b9f13bc-18ff-ecf1-c5a5-121dd2ce7541@gmail.com">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<p><br>
</p>
<br>
<div class="moz-cite-prefix">25.03.2018 20:32, Matus UHLAR -
fantomas пишет:<br>
</div>
<blockquote type="cite"
cite="mid:20180325143213.GC2303@fantomas.sk">
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">Le 25/03/2018 à 13:08, Yuri a écrit
: <br>
<blockquote type="cite">The problem is not install proxy
CA. The problem is identify client <br>
has no proxy CA and redirect, and do it only one time. <br>
</blockquote>
</blockquote>
<br>
On 25.03.18 13:46, Nicolas Kovacs wrote: <br>
<blockquote type="cite">That is exactly the problem. And I
have yet to find a solution for that. <br>
<br>
Current method is instruct everyone - with a printed paper
in the office <br>
- to connect to proxy.company-name.lan and then get
further instructions <br>
from the page. This works, but an automatic splash page
would be more <br>
elegant. <br>
</blockquote>
</blockquote>
</blockquote>
<br>
<blockquote type="cite">25.03.2018 18:42, Matus UHLAR - fantomas
пишет: <br>
<blockquote type="cite">impossible and unsafe. The CA must be
installed before such splash <br>
page shows <br>
</blockquote>
</blockquote>
<br>
On 25.03.18 18:44, Yuri wrote: <br>
<blockquote type="cite">Possible. "Safe/Unsafe" should not be
discussion when SSL Bump <br>
implemented already. <br>
</blockquote>
<br>
it's possible to install splash page, but not install trusted
authority <br>
certificate. Using such authority on a proxy is the MITM attack
and whole <br>
SSL has been designed to prevent this. <br>
</blockquote>
Heh. If SSL designed - why SSL Bump itself possible? ;)<span
class="moz-smiley-s4"><span>:-P</span></span><br>
<blockquote type="cite"
cite="mid:20180325143213.GC2303@fantomas.sk"> <br>
without certificate, the browser complains which is a security
measure <br>
against this. <br>
</blockquote>
Sure. It should.<br>
<blockquote type="cite"
cite="mid:20180325143213.GC2303@fantomas.sk"> <br>
<blockquote type="cite">
<blockquote type="cite">up and in such case the splash page is
irelevant. <br>
<br>
If you have windows domain, you can force security policy
through it. <br>
</blockquote>
</blockquote>
<br>
<blockquote type="cite">In enterprise environment with AD, yes.
But hardly in service provider's <br>
scenarious. <br>
</blockquote>
<br>
service providers should not do this without users' permission.
<br>
at least not in countries where the privacy is guaranteed by
law. <br>
</blockquote>
Thank you, Captain Obvious. <span class="moz-smiley-s1"><span>:-)</span></span>
Enterprises also should get user agreement before do that.
Especially in BYOD scenarious.<br>
<br>
<span id="result_box" class="" lang="en"><span>All these things
are well known here.</span> <span class="">The question was
about technical implementation, and not about the well-known
truisms in the field of security and privacy (in most cases of
ephemeral).</span></span><br>
<br>
<pre class="moz-signature" cols="72">--
"C++ seems like a language suitable for firing other people's legs."
*****************************
* C++20 : Bug to the future *
*****************************</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
"C++ seems like a language suitable for firing other people's legs."
*****************************
* C++20 : Bug to the future *
*****************************</pre>
</body>
</html>