Joe Cooper wrote:
> One part of the security requirement of SSL is end-to-end trust.
> Without that, any proxy could hijack connections and 'listen in'. It
> would require a huge endeavour to bypass those tests of end-to-end
> security...though someone with enough resources might could manage it
> ("enough" here being defined as "pratically unlimited").
Well, as discussed several months ago in a different thread on
squid-users, if you are in a position to set policy you can set the
policy for the organisation that there is no end-to-end SSL provided.
Then make sure the CA used for the proxy certificate is trusted by your
users browsers, and instruct your users that to reach SSL sites they
must click away the certificate name warning.. 99.99% of the users have
no clue what SSL certificate names is about anyway..
With a little of CPU power you can even get rid of the certificate name
warning in the above scenario, if the CA used is a private CA under the
control of the proxy, this CA is installed as a trusted CA in your
client browsers, and the browser is configured to use a proxy for SSL.
Note: None of the above is possible with Squid-2.5 as it lacks the
needed features:
* Initiate SSL connections (patch pending for this)
* Intercept CONNECT requests as if they were SSL requests.
* Dynamically generate private certificates based on the host names of
intercepted CONNECT requests.
Apart from allowing logging and inspection of https traffic, this method
also effectively stops any abuses of CONNECT to non-https services such
as IRC or whatever.
Regards
Henrik
Received on Sat Nov 23 2002 - 03:35:53 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:11:32 MST