[squid-users] Certificate transparency: problem for ssl-bumping, no effect, or?

Yuri Voinov yvoinov at gmail.com
Tue Nov 1 20:47:41 UTC 2016


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
 


02.11.2016 2:03, Alex Rousskov пишет:
> On 10/31/2016 04:13 PM, L. A. Walsh wrote:
>> Google is pushing this for all websites by October 2017
>
> Just Extended Validation (EV) sites, to be exact AFAICT. All other sites
> will be forced into the new scheme sometime later. Naturally, this may
> result in requests to downgrade mimicked server certificates to remove
> the EV extension (assuming we mimic it today).
>
>
>>    https://www.certificate-transparency.org/what-is-ct
>>
>> Seems to indicate that site-local generated and imported
>> certs may also be detected as invalid and be disallowed for
>> SSL connection approvals.  That would be a major pain
>
> The question is whether the affected browsers will have knobs to disable
> CT checks or perhaps to configure custom Certificate Log addresses. If
> everything is hard-coded, then bumping is doomed. Otherwise, expect more

Alex, you can at this point a little more? Since all Internet smoothly
passes under HTTPS, and if  the SSL bump will be impossible to do -
whether it should be understood that in such a situation you close the
project Squid as unnecessary? :) Seriously, why does it then need to be
in a world without HTTP?

>
> sysadmin pains. You can probably answer that question now by studying
System administrators should always suffer. :) You'd think they now have
a little pain with the installation of the proxy certificates to mobile
devices. :) By the way, these crutches in HTTPS have no sense if they
can be in some way disabled. It is my deep personal conviction. :)
>
> Chrome configuration.
>
> Alex.
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

- -- 
Cats - delicious. You just do not know how to cook them.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
 
iQEcBAEBCAAGBQJYGP9sAAoJENNXIZxhPexGPtgH/im0L/lHtPDcV3vXp8a+OSYn
dQYtfz/gcEBZR4IcWLq7DWg6feJ62ksZwq+ukqnYS9toOMTHzm20ihztqmyCqVa8
qvLPN+9Y/TO9bapt/ed9dqlO1O/N0gMSH8tsJQ/JSjncIfIORPeKQZ7XUYP7wPfA
pdGYZKAPNfyGidQblfWTFvDeOhcuoHj8YdUQ8cjtD6wj+A7p5zpuCydasY+VFJhk
lFjsxpRYUfu2IbQIaSj2uUgShVVaff7oDG1xIUEpfK0JLTlNBoC4hWl62saTNiqM
7AwGL8OXgP8FeOaY3raDTV9zG7G5BnINTdxoMLFsKoopbPA58GdZVpq3sBeKGAI=
=v2JO
-----END PGP SIGNATURE-----

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x613DEC46.asc
Type: application/pgp-keys
Size: 2437 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20161102/2b8b9de4/attachment.key>


More information about the squid-users mailing list