Re: [squid-users] Re: Squid intercept mode loading problem

From: Eliezer Croitoru <eliezer_at_ngtech.co.il>
Date: Mon, 30 Dec 2013 02:18:09 +0200

The idea by itself is like that but there are many cases which in a real
world implementations the result can surprise even me.

The basics to make sure that the certificate is "authentic" is to read
it and make sure that every part of it or at-least the basics in it are
true.

If you get into a bank https site and you see something like "warning"
first make sure that your PC clock and date are fine.
Next thing is to make sure that the DNS record is a secured one.
After all the above you need to make sure that the certificate is
satisfying your needs and security level.

There are places which a switch port level state is needed to prevent
breaches.

I remember something about a hospital computer that was used for some
purposes and then in couple seconds some nice "guy" showed up to check
something with the printer.

I would not start messing with SSL clients if they are security aware.

Eliezer

On 30/12/13 01:58, Amos Jeffries wrote:
> On 30/12/2013 1:09 a.m., 0bj3ct wrote:
>> >Thanks for reply, Amos!
>> >
>> >I've solved it. Just there was mistake in configuration. Btw I see "This
>> >connection is untrusted" popup screen everytime I enter to https website. If
>> >I accept the certificate (adding as exception) then I can continue to any
>> >https website. But is it possible to enter any https website without this
>> >security popup?
> Depends on whether you can pre-install a CA certificate into the client
> browser. That popup is the installation process for that browser.
>
> Amos
>
Received on Mon Dec 30 2013 - 00:18:23 MST

This archive was generated by hypermail 2.2.0 : Mon Dec 30 2013 - 12:00:06 MST