[squid-users] How to configure a "proxy home" page ?

Matus UHLAR - fantomas uhlar at fantomas.sk
Mon Mar 26 15:36:38 UTC 2018


On 26.03.18 19:16, Yuri wrote:
>Disagree.
>
>My point about TLS is quite different.
>
>SSH, by design, assumes end-to-end encryption and do not assumes any
>third-party treats as trusty, like TLS does.

actually, the ssh DOES support certificate authorities that sign client or
host keys, so you don't need to transfer it over SSH server - it's just not
widely used.

https://www.ssh.com/ssh/keygen/#sec-Using-X-509-Certificates-for-Host-Authentication

> SSH immediately notice you
>when server key surprisingly changed.

only when you already have the host key installed in your client. If there's
MITM attack before you get the key, you will not notice that, unless you
get the key by other (secure) way.

unlike SSL, SSH was not designed to be used globally between everyone, more
within one or more "friend" organizations, so it didn't specify how host
keys are verified (the SSHFP DNS record just transfers trust to DNS, which
can be hijacked too).

>Yes, users is involved in both cases. However the difference still here.
>SSH is end-to-end always by design (we're not talking about things like
>Kerberos here), TLS is not.

TLS was designed to be end-to-end encryption and the certificate authority
system was built to fullfil this.  The bumping proxies, antiviruses, and
application firewalls just break this.

-- 
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. -- Benjamin Franklin, 1759


More information about the squid-users mailing list