<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p><br>
</p>
<br>
<div class="moz-cite-prefix">26.03.2018 02:45, Amos Jeffries пишет:<br>
</div>
<blockquote type="cite"
cite="mid:9a89b18e-ec38-27be-8471-8a6a10db3fb8@treenet.co.nz">
<pre wrap="">On 26/03/18 04:41, Yuri wrote:
</pre>
<blockquote type="cite">
<pre wrap="">
25.03.2018 20:32, Matus UHLAR - fantomas пишет:
</pre>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">Le 25/03/2018 à 13:08, Yuri a écrit :
</pre>
<blockquote type="cite">
<pre wrap="">The problem is not install proxy CA. The problem is identify client
has no proxy CA and redirect, and do it only one time.
</pre>
</blockquote>
</blockquote>
<pre wrap="">
On 25.03.18 13:46, Nicolas Kovacs wrote:
</pre>
<blockquote type="cite">
<pre wrap="">That is exactly the problem. And I have yet to find a solution for
that.
Current method is instruct everyone - with a printed paper in the
office
- to connect to proxy.company-name.lan and then get further
instructions
from the page. This works, but an automatic splash page would be more
elegant.
</pre>
</blockquote>
</blockquote>
</blockquote>
<pre wrap="">
</pre>
<blockquote type="cite">
<pre wrap="">25.03.2018 18:42, Matus UHLAR - fantomas пишет:
</pre>
<blockquote type="cite">
<pre wrap="">impossible and unsafe. The CA must be installed before such splash
page shows
</pre>
</blockquote>
</blockquote>
<pre wrap="">
On 25.03.18 18:44, Yuri wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Possible. "Safe/Unsafe" should not be discussion when SSL Bump
implemented already.
</pre>
</blockquote>
<pre wrap="">
it's possible to install splash page, but not install trusted authority
certificate. Using such authority on a proxy is the MITM attack and
whole
SSL has been designed to prevent this.
</pre>
</blockquote>
<pre wrap="">Heh. If SSL designed - why SSL Bump itself possible? ;):-P
</pre>
</blockquote>
<pre wrap="">
As all our SSL-Bump documentation should be saying:
when TLS is used properly SSL-Bump *does not work*.
A client checking the cert validity and producing _its own_ error page
about missing/unknown/untrusted CA is one of those cases. Since the
client is producing the "page" itself there is no possibility of Squid
replacing that with something else.</pre>
</blockquote>
Amos,<br>
<br>
squid is irrelevant here. "Used properly" and "Implemented
properly", and, especially, "Designed properly" - which means
"Secure by design", like SSH or The Onion Router.<br>
<br>
HTTPS is <b>NOT</b>.<br>
<br>
Security should not be dependent from client/user behaviour. For
example, End-to-end security in IM. It is completely independent
from user.<br>
<br>
If HTTPS permits MiTM in theory and practice by any manner - it is
insecure by design. Point.<br>
<br>
<blockquote type="cite"
cite="mid:9a89b18e-ec38-27be-8471-8a6a10db3fb8@treenet.co.nz">
<pre wrap="">
Amos
_______________________________________________
squid-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a>
<a class="moz-txt-link-freetext" href="http://lists.squid-cache.org/listinfo/squid-users">http://lists.squid-cache.org/listinfo/squid-users</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
"C++ seems like a language suitable for firing other people's legs."
*****************************
* C++20 : Bug to the future *
*****************************</pre>
</body>
</html>