[squid-users] Settings for Bank & Health

Matus UHLAR - fantomas uhlar at fantomas.sk
Tue Mar 13 11:11:51 UTC 2018


>> On 13.03.18 20:37, Al Grant wrote:
>>> I have been told it would be good practice to respect users privacy when
>>> it comes to banking and health websites.
>>> I am not sure whether this means not logging those websites, not caching
>>> them or something else?

>On Tue, Mar 13, 2018 at 9:06 PM, Matus UHLAR - fantomas <uhlar at fantomas.sk>
>wrote:
>> in fact, both. However it's not a problem unless you bump SSL connections.
>> without it, you just see CONNECT requests in proxy logs, which doesn't
>> violate privacy.

On 13.03.18 21:17, Al Grant wrote:
>So would you see all the URLs for a given site in the logs?

No. CONNECT only provides host/IP and port, nothing more.

>> Bumping SSL connections means decrypting the traffic and removing privacy.
>> (SSL is designed for end-to-end encryption and valication).
>>
>> Bumping decrypts the connection, provide own certificates, and make own SSL
>> connection to the web sites.
>>
>> Users will not see the green bar commonly seen at banking sites, coming
>> from
>> extended validation certificate.
>>
>>
>I don't see the need to go as far as filtering traffic based on content.
>However I would like to be able to view the URLs visited.

viewing URLs in HTTPS connections requires decrypting SSL.
decrypting SSL removes privacy and brings problems.
don't decrypt unless you really have to.

-- 
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"To Boot or not to Boot, that's the question." [WD1270 Caviar]


More information about the squid-users mailing list