<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p><br>
</p>
<br>
<div class="moz-cite-prefix">26.03.2018 15:33, Matus UHLAR -
fantomas пишет:<br>
</div>
<blockquote type="cite"
cite="mid:20180326093308.GA30743@fantomas.sk">
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">Le 25/03/2018 à 13:08, Yuri a
écrit :
<br>
<blockquote type="cite">The problem is not install proxy
CA. The problem is identify client
<br>
has no proxy CA and redirect, and do it only one time.
<br>
</blockquote>
</blockquote>
<br>
On 25.03.18 13:46, Nicolas Kovacs wrote:
<br>
<blockquote type="cite">That is exactly the problem. And I
have yet to find a solution for
<br>
that.
<br>
<br>
Current method is instruct everyone - with a printed
paper in the
<br>
office
<br>
- to connect to proxy.company-name.lan and then get
further
<br>
instructions
<br>
from the page. This works, but an automatic splash page
would be more
<br>
elegant.
<br>
</blockquote>
</blockquote>
</blockquote>
<br>
<blockquote type="cite">25.03.2018 18:42, Matus UHLAR -
fantomas пишет:
<br>
<blockquote type="cite">impossible and unsafe. The CA must
be installed before such splash
<br>
page shows
<br>
</blockquote>
</blockquote>
<br>
On 25.03.18 18:44, Yuri wrote:
<br>
<blockquote type="cite">Possible. "Safe/Unsafe" should not be
discussion when SSL Bump
<br>
implemented already.
<br>
</blockquote>
</blockquote>
</blockquote>
<br>
<blockquote type="cite">25.03.2018 20:32, Matus UHLAR - fantomas
пишет:
<br>
<blockquote type="cite">it's possible to install splash page,
but not install trusted authority
<br>
certificate. Using such authority on a proxy is the MITM
attack and
<br>
whole
<br>
SSL has been designed to prevent this.
<br>
</blockquote>
</blockquote>
<br>
On 25.03.18 21:41, Yuri wrote:
<br>
<blockquote type="cite">Heh. If SSL designed - why SSL Bump itself
possible? ;):-P
<br>
</blockquote>
<br>
it's not, you must break throught it to allow ssl-bump by
installing your
<br>
CA certificate. You haven't explained how to do that
automatically although
<br>
you claim it's possible.
<br>
<br>
Please provide evidence.
<br>
</blockquote>
Waaaaaaa. No. My misunderstanding. Of course, not automatically.<br>
<blockquote type="cite"
cite="mid:20180326093308.GA30743@fantomas.sk">
<br>
<blockquote type="cite">
<blockquote type="cite">without certificate, the browser
complains which is a security measure
<br>
against this.
<br>
</blockquote>
</blockquote>
<br>
<blockquote type="cite">Sure. It should.
<br>
</blockquote>
<br>
and it does. unless you tweak it not to, which must be configured
manually
<br>
(please provide evidence if not).
<br>
</blockquote>
Exactly. I'm talking only about it. My misunderstanding.<br>
<blockquote type="cite"
cite="mid:20180326093308.GA30743@fantomas.sk">
<br>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">up and in such case the splash page
is irelevant.
<br>
<br>
If you have windows domain, you can force security policy
through it.
<br>
</blockquote>
</blockquote>
<br>
<blockquote type="cite">In enterprise environment with AD,
yes. But hardly in service provider's
<br>
scenarious.
<br>
</blockquote>
<br>
service providers should not do this without users'
permission.
<br>
at least not in countries where the privacy is guaranteed by
law.
<br>
</blockquote>
</blockquote>
<br>
<blockquote type="cite">Thank you, Captain Obvious. :-)
Enterprises also should get user
<br>
agreement before do that. Especially in BYOD scenarious.
<br>
<br>
All these things are well known here. The question was about
technical
<br>
implementation, and not about the well-known truisms in the
field of
<br>
security and privacy (in most cases of ephemeral).
<br>
</blockquote>
<br>
maybe you know that, but many of people asking for ssl bump how-to
do not
<br>
know that. <br>
</blockquote>
A bit disagree.<br>
<br>
<span id="result_box" class="" lang="en"><span class="">This has
been repeated so many times here and in Wiki that it's hard to
imagine that someone does not already know this.</span></span><br>
<br>
<pre class="moz-signature" cols="72">--
"C++ seems like a language suitable for firing other people's legs."
*****************************
* C++20 : Bug to the future *
*****************************</pre>
</body>
</html>