Re: [squid-users] SSLBump, help to configure for 3.1.0.16

From: K K <kkadow_at_gmail.com>
Date: Tue, 16 Feb 2010 09:40:07 -0600

On Tue, Feb 16, 2010 at 7:17 AM, Matus UHLAR - fantomas
<uhlar_at_fantomas.sk> wrote:
> On 14.02.10 18:30, Andres Salazar wrote:
>> Iam trying to configure SSLbump so that I can use squid in transparent
>> mode and redirect with iptables/pf port 443 and 80 to squid.

Why transparent?

> Are you aware of all security concerns when intercepting HTTPS connections?
>
> ...I just wonder when will first proactive admin (or someone from his managers) sent
> to prison because of breaking into users connections.

Laws vary by country. At least in the US, SSL-Intercepting admins are
much more likely to face civil liability than any sort of criminal
charge. So no prison, just bankruptcy.

With the requirement to load a public key on the machine being
intercepted, generally this is only deployed in situations where the
owner of the proxy also already "owns" the user machine.

I'm using a commercial tool which gets around the headaches and legal
issues by inspecting the HTTPS outbound data on the client, before it
gets encrypted. This "agent" only works with IE/Firefox.
Received on Tue Feb 16 2010 - 15:40:17 MST

This archive was generated by hypermail 2.2.0 : Thu Feb 18 2010 - 12:00:06 MST