[squid-users] How to configure a "proxy home" page ?
Yuri
yvoinov at gmail.com
Sun Mar 25 16:00:05 UTC 2018
In principle, I do not consider as secure the technology that allows
MiTM (even in theory) - anyway, for what purpose.
Since this is so - HTTPS is nothing more than a security theater with a
green lock for calming users.
This does not mean that I do not care about the security and privacy of
users. But I provide it somewhat differently, carefully protecting the
proxy itself, its infrastructure and its cache.
25.03.2018 21:41, Yuri пишет:
>
>
>
> 25.03.2018 20:32, Matus UHLAR - fantomas пишет:
>>>>> Le 25/03/2018 à 13:08, Yuri a écrit :
>>>>>> The problem is not install proxy CA. The problem is identify client
>>>>>> has no proxy CA and redirect, and do it only one time.
>>>>
>>>> On 25.03.18 13:46, Nicolas Kovacs wrote:
>>>>> That is exactly the problem. And I have yet to find a solution for
>>>>> that.
>>>>>
>>>>> Current method is instruct everyone - with a printed paper in the
>>>>> office
>>>>> - to connect to proxy.company-name.lan and then get further
>>>>> instructions
>>>>> from the page. This works, but an automatic splash page would be more
>>>>> elegant.
>>
>>> 25.03.2018 18:42, Matus UHLAR - fantomas пишет:
>>>> impossible and unsafe. The CA must be installed before such splash
>>>> page shows
>>
>> On 25.03.18 18:44, Yuri wrote:
>>> Possible. "Safe/Unsafe" should not be discussion when SSL Bump
>>> implemented already.
>>
>> it's possible to install splash page, but not install trusted authority
>> certificate. Using such authority on a proxy is the MITM attack and
>> whole
>> SSL has been designed to prevent this.
> Heh. If SSL designed - why SSL Bump itself possible? ;):-P
>>
>> without certificate, the browser complains which is a security measure
>> against this.
> Sure. It should.
>>
>>>> up and in such case the splash page is irelevant.
>>>>
>>>> If you have windows domain, you can force security policy through it.
>>
>>> In enterprise environment with AD, yes. But hardly in service
>>> provider's
>>> scenarious.
>>
>> service providers should not do this without users' permission.
>> at least not in countries where the privacy is guaranteed by law.
> Thank you, Captain Obvious. :-) Enterprises also should get user
> agreement before do that. Especially in BYOD scenarious.
>
> All these things are well known here. The question was about technical
> implementation, and not about the well-known truisms in the field of
> security and privacy (in most cases of ephemeral).
>
> --
> "C++ seems like a language suitable for firing other people's legs."
>
> *****************************
> * C++20 : Bug to the future *
> *****************************
--
"C++ seems like a language suitable for firing other people's legs."
*****************************
* C++20 : Bug to the future *
*****************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20180325/b725b5ce/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: OpenPGP digital signature
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20180325/b725b5ce/attachment.sig>
More information about the squid-users
mailing list