[squid-users] How to configure a "proxy home" page ?
Yuri
yvoinov at gmail.com
Mon Mar 26 15:45:04 UTC 2018
26.03.2018 21:36, Matus UHLAR - fantomas пишет:
> On 26.03.18 19:16, Yuri wrote:
>> Disagree.
>>
>> My point about TLS is quite different.
>>
>> SSH, by design, assumes end-to-end encryption and do not assumes any
>> third-party treats as trusty, like TLS does.
>
> actually, the ssh DOES support certificate authorities that sign
> client or
> host keys, so you don't need to transfer it over SSH server - it's
> just not
> widely used.
>
> https://www.ssh.com/ssh/keygen/#sec-Using-X-509-Certificates-for-Host-Authentication
>
I know such obvious thing. But functionality you described was not
initially designed in SSH and was added later.
>
>> SSH immediately notice you
>> when server key surprisingly changed.
>
> only when you already have the host key installed in your client. If
> there's
> MITM attack before you get the key, you will not notice that, unless you
> get the key by other (secure) way.
By analogue with TLS - let's imagine I've already been on site. With SSH
client notify me - "Hey, man, you trying to connect to server with ....
fingerprint. Add it Yes/No?"
Instead this, TLS never notify me if third-party CA is known to client.
>
> unlike SSL, SSH was not designed to be used globally between everyone,
> more
> within one or more "friend" organizations, so it didn't specify how host
> keys are verified (the SSHFP DNS record just transfers trust to DNS,
> which
> can be hijacked too).
To be honest, a weak argument. A secure connection should always be
encrypted end-to-end and should not "trusted" third-parties as well.
Never. Otherwise it is insecure connection. IMHO.
>
>> Yes, users is involved in both cases. However the difference still here.
>> SSH is end-to-end always by design (we're not talking about things like
>> Kerberos here), TLS is not.
>
> TLS was designed to be end-to-end encryption and the certificate
> authority
As Stanislavsky said, "I do not believe it!"
End-to-end encryption and the (/trusted third-party/) certificate
authority these are antonyms.
> system was built to fullfil this. The bumping proxies, antiviruses, and
> application firewalls just break this.
>
With this I can not argue.
--
"C++ seems like a language suitable for firing other people's legs."
*****************************
* C++20 : Bug to the future *
*****************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20180326/519dea8e/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: OpenPGP digital signature
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20180326/519dea8e/attachment.sig>
More information about the squid-users
mailing list