[squid-users] Https_port with "official" certificate

Antony Stone Antony.Stone at squid.open.source.it
Wed Aug 24 13:24:57 UTC 2016


On Wednesday 24 August 2016 at 14:35:03, Yuri Voinov wrote:

> >> Then I do not understand what he wants op.
> 
> http://wiki.squid-cache.org/Features/HTTPS#Encrypted_browser-Squid_connecti
> on
> 
> > Secure connection to squid proxy without need for anything else (on
> > client side) than configuring proxy in browser.
> 
> > Using provided signed certificates.
> > No SSL-bumping or whatever just forwarding.
> 
> Firstly, the concept is not safe. Users will have a secure connection to
> the proxy

Yes, that is all the OP is looking for.

> as well as the next?

Once it leaves the OP's network I suspect the risk (of eavesdropping etc) is 
reduced.

> HTTP? User misled green padlock,

I do not think the browser will show an SSL/TLS padlock for a secured proxy 
connection - it only shows this for a secured connection to the destination 
server.  Therefore no misled users.

> believes all secure connection - as external traffic is not encrypted
> after the fact. Second. You seriously think that the world will sit
> under HTTPS? What, for example, you want to protect on news sites?

I don't understand what you are saying here.

The connection across the local network between browser and proxy is secured.

Beyond that everything works across the Internet just as normal - HTTP sites 
are not secured, HTTPS sites are secured.  The user sees SSL padlock and 
certificate chain for HTTPS sites, nothing for HTTP sites.

So, the design is more secure over the local network than the standard 
arrangement, and exactly the same beyond the local network.

No security is being compromised or downgraded.


Antony.

-- 
Douglas was one of those writers who honourably failed to get anywhere with 
'weekending'.  It put a premium on people who could write things that lasted 
thirty seconds, and Douglas was incapable of writing a single sentence that 
lasted less than thirty seconds.

 - Geoffrey Perkins, about Douglas Adams

                                                   Please reply to the list;
                                                         please *don't* CC me.


More information about the squid-users mailing list