[squid-users] Settings for Bank & Health

Matus UHLAR - fantomas uhlar at fantomas.sk
Tue Mar 13 08:06:24 UTC 2018


On 13.03.18 20:37, Al Grant wrote:
>I have been told it would be good practice to respect users privacy when it
>comes to banking and health websites.

it's good practice respect users privacy when it comes to all websites.

>I am not sure whether this means not logging those websites, not caching
>them or something else?

in fact, both. However it's not a problem unless you bump SSL connections.
without it, you just see CONNECT requests in proxy logs, which doesn't
violate privacy.
(at least not much, you know where user connects but that's all).

in some countries you are obligated to save the logs for some time.

>Can someone please elaborate, and perhaps how it would be achieved? I am
>currently running a non transparent proxy with wpad.

Bumping SSL connections means decrypting the traffic and removing privacy.
(SSL is designed for end-to-end encryption and valication).

Bumping decrypts the connection, provide own certificates, and make own SSL
connection to the web sites.

Users will not see the green bar commonly seen at banking sites, coming from
extended validation certificate.

if you do ssl bumping, you must be very careful - because of both legal and
technical issues. 

If you don't, you should have no problem.
-- 
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux IS user friendly, it's just selective who its friends are...


More information about the squid-users mailing list