[squid-users] Https_port with "official" certificate
Antony Stone
Antony.Stone at squid.open.source.it
Wed Aug 24 13:24:57 UTC 2016
On Wednesday 24 August 2016 at 14:35:03, Yuri Voinov wrote:
> >> Then I do not understand what he wants op.
>
> http://wiki.squid-cache.org/Features/HTTPS#Encrypted_browser-Squid_connecti
> on
>
> > Secure connection to squid proxy without need for anything else (on
> > client side) than configuring proxy in browser.
>
> > Using provided signed certificates.
> > No SSL-bumping or whatever just forwarding.
>
> Firstly, the concept is not safe. Users will have a secure connection to
> the proxy
Yes, that is all the OP is looking for.
> as well as the next?
Once it leaves the OP's network I suspect the risk (of eavesdropping etc) is
reduced.
> HTTP? User misled green padlock,
I do not think the browser will show an SSL/TLS padlock for a secured proxy
connection - it only shows this for a secured connection to the destination
server. Therefore no misled users.
> believes all secure connection - as external traffic is not encrypted
> after the fact. Second. You seriously think that the world will sit
> under HTTPS? What, for example, you want to protect on news sites?
I don't understand what you are saying here.
The connection across the local network between browser and proxy is secured.
Beyond that everything works across the Internet just as normal - HTTP sites
are not secured, HTTPS sites are secured. The user sees SSL padlock and
certificate chain for HTTPS sites, nothing for HTTP sites.
So, the design is more secure over the local network than the standard
arrangement, and exactly the same beyond the local network.
No security is being compromised or downgraded.
Antony.
--
Douglas was one of those writers who honourably failed to get anywhere with
'weekending'. It put a premium on people who could write things that lasted
thirty seconds, and Douglas was incapable of writing a single sentence that
lasted less than thirty seconds.
- Geoffrey Perkins, about Douglas Adams
Please reply to the list;
please *don't* CC me.
More information about the squid-users
mailing list