[squid-users] Https_port with "official" certificate
Yuri Voinov
yvoinov at gmail.com
Wed Aug 24 13:30:33 UTC 2016
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
24.08.2016 19:24, Antony Stone пишет:
> On Wednesday 24 August 2016 at 14:35:03, Yuri Voinov wrote:
>
>>>> Then I do not understand what he wants op.
>>
>>
http://wiki.squid-cache.org/Features/HTTPS#Encrypted_browser-Squid_connecti
>> on
>>
>>> Secure connection to squid proxy without need for anything else (on
>>> client side) than configuring proxy in browser.
>>
>>> Using provided signed certificates.
>>> No SSL-bumping or whatever just forwarding.
>>
>> Firstly, the concept is not safe. Users will have a secure connection to
>> the proxy
>
> Yes, that is all the OP is looking for.
>
>> as well as the next?
>
> Once it leaves the OP's network I suspect the risk (of eavesdropping
etc) is
> reduced.
>
>> HTTP? User misled green padlock,
>
> I do not think the browser will show an SSL/TLS padlock for a secured
proxy
> connection - it only shows this for a secured connection to the
destination
> server. Therefore no misled users.
>
>> believes all secure connection - as external traffic is not encrypted
>> after the fact. Second. You seriously think that the world will sit
>> under HTTPS? What, for example, you want to protect on news sites?
>
> I don't understand what you are saying here.
May be some misunderstanding here.
If we are talking about encryption, just authentication proxy - is one
thing. If encryption of all client traffic at all only to the proxy, not
caring about what happens to it next - is another.
>
> The connection across the local network between browser and proxy is
secured.
>
> Beyond that everything works across the Internet just as normal - HTTP
sites
> are not secured, HTTPS sites are secured. The user sees SSL padlock and
> certificate chain for HTTPS sites, nothing for HTTP sites.
>
> So, the design is more secure over the local network than the standard
> arrangement, and exactly the same beyond the local network.
Correct LAN design solves most of these problems.
>
>
> No security is being compromised or downgraded.
Not sure.
>
>
>
> Antony.
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJXvaF5AAoJENNXIZxhPexG7MMH/RYfzKl3PMQFBtbjZ8jg6Jra
4dtgJifJTLjSsF0NSqRtT/iZ8KpW3SrSJ+10Ht9IoVbjGiAL8p8/FMLh8/ImTmqJ
QxqI0ovLgj/YuHoxlm4U25L7NG0amzUTINhNXRw79Yvp5RxNEyAmfFpy0mAfD34h
ClXQQeWsCalS8Wz7yGqpgp28T9m86l3BNe+SoP+Q1/tfIkopcGD4Hz32N32J/Bsm
Wen8JMW2f6BAa0mIbb+tV9q1dI5stommTtprCzi8kAtzqX2bbBt3Nnz+xXQWZmwZ
tEO9CsLN4fTSUGILLQG2Bv5ZyT0tAFvhxzCBoz8hpBO+NcIPkm5OgkzpGe32/NA=
=A9CF
-----END PGP SIGNATURE-----
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160824/8df31cb7/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x613DEC46.asc
Type: application/pgp-keys
Size: 2437 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160824/8df31cb7/attachment.key>
More information about the squid-users
mailing list