Re: [CentOS] latest skype (version 8.16.0.4) on Centos 7
On Mon, Mar 05, 2018 at 09:29:51PM +0100, wwp wrote: > Hello Fred, > > > On Mon, 5 Mar 2018 13:53:16 -0500 Fred Smith> wrote: > > > I've finally been reduced to having to install Skype on my Linux box. > > I resisted for years, but now ended up trying it. > > > > and while the latest RPM installs just fine, it refuses to acknowledge > > that I have a microphone! > > > > In fact I have two: 1 in the USB web cam (it finds the cam), the second > > in a Plantronics USB headset, which works fine but not with skype. > > it is as if it doesn't exist. > > > > So, when I connect to someone I can hear them, see them, and they can > > see me, but I'm producing no sound output. > > > > All the web hits I can find for nonfunctional microphone on the web > > are for Ubuntu. GAH! > > > > running ldd against the skypeforlinux binary results in a huge list > > of shared libraries, including libasound (which is what the ubuntu > > messages say is missing). > > Using the same skype version (and former ones), with various > input/output hardware (not the ones you have), I encounter no issue > here with sound setup (I know this doesn't help, sorry). Are you able > to use the hardware you described, especially the input device, with > other software in this CentOS7, starting with alsamixer? the Plantronics USB headset works great as both earphones and as a mic. I use it regularly for videoconferences using various web-based meeting/conference apps. whenever I plug in the USB headset I have to use pavucontrol to manage sound. whenever it is not plugged in, I use the sound app in the upper menu, which turns out to be mate-volume-control (yes, I use the Mate desktop, not Gnome). This seems weird, but I've grown used to it. With skype, the audio settings menu refuses to admit to there being any such audio device attached to the system. Subsequent to my posting, I discovered that my ancient analog phone/mic headset works with skype, so I'm more or less set--except I like the Plantronics a lot better. it (the analog one, not the USB) has two 1/8 inch phone plugs, one pink, one green. plug 'em into the pink and green jacks, hack at the sound settings for a while, turn off the speakers (cause the system won't mute them when the phones are plugged in) and voila. Fred -- Fred Smith -- fre...@fcshome.stoneham.ma.us - I can do all things through Christ who strengthens me. -- Philippians 4:13 --- ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] latest skype (version 8.16.0.4) on Centos 7
Hello Fred, On Mon, 5 Mar 2018 13:53:16 -0500 Fred Smithwrote: > I've finally been reduced to having to install Skype on my Linux box. > I resisted for years, but now ended up trying it. > > and while the latest RPM installs just fine, it refuses to acknowledge > that I have a microphone! > > In fact I have two: 1 in the USB web cam (it finds the cam), the second > in a Plantronics USB headset, which works fine but not with skype. > it is as if it doesn't exist. > > So, when I connect to someone I can hear them, see them, and they can > see me, but I'm producing no sound output. > > All the web hits I can find for nonfunctional microphone on the web > are for Ubuntu. GAH! > > running ldd against the skypeforlinux binary results in a huge list > of shared libraries, including libasound (which is what the ubuntu > messages say is missing). Using the same skype version (and former ones), with various input/output hardware (not the ones you have), I encounter no issue here with sound setup (I know this doesn't help, sorry). Are you able to use the hardware you described, especially the input device, with other software in this CentOS7, starting with alsamixer? Regards, -- wwp pgpc4WTLVQldP.pgp Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Squid and HTTPS interception on CentOS 7 ?
Wouldn't filtering the DNS be more practical? On 5 March 2018 at 18:57, Leon Fausterwrote: > > > Am 05.03.2018 um 15:34 schrieb Bill Gee : > > > > > > On Monday, March 5, 2018 7:23:53 AM CST Leon Fauster wrote: > >> Am 05.03.2018 um 13:04 schrieb Nicolas Kovacs : > >>> Le 28/02/2018 à 22:23, Nicolas Kovacs a écrit : > So far, I've only been able to filter HTTP. > > Do any of you do transparent HTTPS filtering ? Any suggestions, > advice, caveats, do's and don'ts ? > >>> > >>> After a week of trial and error, transparent HTTPS filtering works > >>> perfectly. I wrote a detailed blog article about it. > >>> > >>> https://blog.microlinux.fr/squid-https-centos/ > >> > >> I wonder if this works with all https enabled sites? Chrome has > >> capabilities hardcoded to check google certificates. Certificate > >> Transparency, HTTP Public Key Pinning, CAA DNS are also supporting > >> the end node to identify MITM. I hope that such setup will be > unpractical > >> in the near future. > >> > >> About your legal requirements; Weighing is what courts daily do. So, > >> such requirements are not asking you to destroy the integrity and > >> confidentiality >95% of users activity. Blocking Routing, DNS, IPs, > >> Ports are the way to go. > >> > >> -- > >> LF > > > > Although not really related to CentOS, I do have some thoughts on this. > I > > used to work in the IT department of a public library. One of the big > > considerations at a library is patron privacy. We went to great lengths > to > > NOT record what web sites were visited by our patrons. We also deny > requests > > from anyone to find out what books a patron has checked out. > > > > The library is required by law to provide web filtering, mainly because > we > > have public-use computers which are used by children. For http this is > easy. > > Https is, as this discussion reveals, a different animal. > > > > We started to set up a filter which would run directly on our router > (Juniper > > SRX-series) using EWF software. It quickly became apparent that any > kind of > > https filtering requires a MITM attack. We were basically decrypting the > > patron's web traffic on our router, then encrypting it again with a > different > > cert. > > > > When we realized what it would take, we had a HUGE internal discussion > about > > how to proceed. Yeah, the lawyers were all over it! In the end we > decided to > > not attempt to filter https traffic except by whatever was not encrypted. > > Basically that means web site names. > > > > Our test case was the Playboy web site. They are available on https, > but they > > do not automatically redirect http to https. If you open playboy [dot] > com > > with no protocol specified, it goes over http. Our existing filter > blocked > > that. However, if you open https[colon]// playboy [dot] com, it goes > straight > > in. The traffic never goes over http, so the filter on the router never > > processes it. > > > > Security by obscurity ... It was the best we could do without violating > our > > own policies on patron privacy. > > > All browsers sent "server_name" [*] in there https requests. That is the > domain part of > the URI. So, you can identify the requested https site without decrypting > (because its > "lets call it a header" that includes this information) and without > damaging the privacy. > > [*] https://tools.ietf.org/html/rfc6066 > > -- > LF > > > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos > ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Squid and HTTPS interception on CentOS 7 ?
On 2/28/2018 4:23 PM, Nicolas Kovacs wrote: Hi, I've been running Squid successfully on CentOS 7 (and before that on 6 and 5), and it's always been running nicely. I've been using it mostly as a transparent proxy filter in school networks. So far, I've only been able to filter HTTP. Do any of you do transparent HTTPS filtering ? Any suggestions, advice, caveats, do's and don'ts ? Cheers from the snowy South of France, Niki I made a video on doing this yesterday on Debian. If you skip the part about the Debian install and use the CentOS Squid 3.5 packages from the binary package repo provided by Squid, you should be able to follow the same directions. https://www.youtube.com/watch?v=Bogdplu_lsE ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] latest skype (version 8.16.0.4) on Centos 7
Hi all! I've finally been reduced to having to install Skype on my Linux box. I resisted for years, but now ended up trying it. and while the latest RPM installs just fine, it refuses to acknowledge that I have a microphone! In fact I have two: 1 in the USB web cam (it finds the cam), the second in a Plantronics USB headset, which works fine but not with skype. it is as if it doesn't exist. So, when I connect to someone I can hear them, see them, and they can see me, but I'm producing no sound output. All the web hits I can find for nonfunctional microphone on the web are for Ubuntu. GAH! running ldd against the skypeforlinux binary results in a huge list of shared libraries, including libasound (which is what the ubuntu messages say is missing). Anybody got a clue? Thanks in advance! Fred -- Fred Smith -- fre...@fcshome.stoneham.ma.us - "For him who is able to keep you from falling and to present you before his glorious presence without fault and with great joy--to the only God our Savior be glory, majesty, power and authority, through Jesus Christ our Lord, before all ages, now and forevermore! Amen." - Jude 1:24,25 (niv) - ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Squid and HTTPS interception on CentOS 7 ?
> Am 05.03.2018 um 15:34 schrieb Bill Gee: > > > On Monday, March 5, 2018 7:23:53 AM CST Leon Fauster wrote: >> Am 05.03.2018 um 13:04 schrieb Nicolas Kovacs : >>> Le 28/02/2018 à 22:23, Nicolas Kovacs a écrit : So far, I've only been able to filter HTTP. Do any of you do transparent HTTPS filtering ? Any suggestions, advice, caveats, do's and don'ts ? >>> >>> After a week of trial and error, transparent HTTPS filtering works >>> perfectly. I wrote a detailed blog article about it. >>> >>> https://blog.microlinux.fr/squid-https-centos/ >> >> I wonder if this works with all https enabled sites? Chrome has >> capabilities hardcoded to check google certificates. Certificate >> Transparency, HTTP Public Key Pinning, CAA DNS are also supporting >> the end node to identify MITM. I hope that such setup will be unpractical >> in the near future. >> >> About your legal requirements; Weighing is what courts daily do. So, >> such requirements are not asking you to destroy the integrity and >> confidentiality >95% of users activity. Blocking Routing, DNS, IPs, >> Ports are the way to go. >> >> -- >> LF > > Although not really related to CentOS, I do have some thoughts on this. I > used to work in the IT department of a public library. One of the big > considerations at a library is patron privacy. We went to great lengths to > NOT record what web sites were visited by our patrons. We also deny requests > from anyone to find out what books a patron has checked out. > > The library is required by law to provide web filtering, mainly because we > have public-use computers which are used by children. For http this is easy. > > Https is, as this discussion reveals, a different animal. > > We started to set up a filter which would run directly on our router (Juniper > SRX-series) using EWF software. It quickly became apparent that any kind of > https filtering requires a MITM attack. We were basically decrypting the > patron's web traffic on our router, then encrypting it again with a different > cert. > > When we realized what it would take, we had a HUGE internal discussion about > how to proceed. Yeah, the lawyers were all over it! In the end we decided > to > not attempt to filter https traffic except by whatever was not encrypted. > Basically that means web site names. > > Our test case was the Playboy web site. They are available on https, but > they > do not automatically redirect http to https. If you open playboy [dot] com > with no protocol specified, it goes over http. Our existing filter blocked > that. However, if you open https[colon]// playboy [dot] com, it goes > straight > in. The traffic never goes over http, so the filter on the router never > processes it. > > Security by obscurity ... It was the best we could do without violating our > own policies on patron privacy. All browsers sent "server_name" [*] in there https requests. That is the domain part of the URI. So, you can identify the requested https site without decrypting (because its "lets call it a header" that includes this information) and without damaging the privacy. [*] https://tools.ietf.org/html/rfc6066 -- LF ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Squid and HTTPS interception on CentOS 7 ?
On 03/05/18 10:21, Nicolas Kovacs wrote: Le 05/03/2018 à 16:30, Valeri Galtsev a écrit : Sorry, I missed the beginning of this thread. This sounds to me like running one's own Certification Authority. I did that a while ago for over a decade. However, these days one may consider https://letsencrypt.org/ - you will have to run web server to have certificate signed by them, but pointing other services to use that same certificate/secret key pair will work. I do use LetsEncrypt for all my public certificates. But I can't use it on a local machine with a hostname like server.company.lan. This is simply not possible. Yes, it is not. They do verify on publicly accessible server that that host is the one you have assess to, and certainly no CA authority will sign certificate for private address space. I missed the beginning of the thread which was edited away from what I was replying to... Valeri Niki -- Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Squid and HTTPS interception on CentOS 7 ?
Le 05/03/2018 à 16:30, Valeri Galtsev a écrit : > Sorry, I missed the beginning of this thread. This sounds to me like > running one's own Certification Authority. I did that a while ago for > over a decade. However, these days one may consider > > https://letsencrypt.org/ > > - you will have to run web server to have certificate signed by them, > but pointing other services to use that same certificate/secret key pair > will work. I do use LetsEncrypt for all my public certificates. But I can't use it on a local machine with a hostname like server.company.lan. This is simply not possible. Niki -- Microlinux - Solutions informatiques durables 7, place de l'église - 30730 Montpezat Site : https://www.microlinux.fr Blog : https://blog.microlinux.fr Mail : i...@microlinux.fr Tél. : 04 66 63 10 32 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Squid and HTTPS interception on CentOS 7 ?
On 03/05/18 08:34, Bill Gee wrote: On Monday, March 5, 2018 7:23:53 AM CST Leon Fauster wrote: Am 05.03.2018 um 13:04 schrieb Nicolas Kovacs: Le 28/02/2018 à 22:23, Nicolas Kovacs a écrit : So far, I've only been able to filter HTTP. Do any of you do transparent HTTPS filtering ? Any suggestions, advice, caveats, do's and don'ts ? After a week of trial and error, transparent HTTPS filtering works perfectly. I wrote a detailed blog article about it. https://blog.microlinux.fr/squid-https-centos/ I wonder if this works with all https enabled sites? Chrome has capabilities hardcoded to check google certificates. Certificate Transparency, HTTP Public Key Pinning, CAA DNS are also supporting the end node to identify MITM. I hope that such setup will be unpractical in the near future. About your legal requirements; Weighing is what courts daily do. So, such requirements are not asking you to destroy the integrity and confidentiality >95% of users activity. Blocking Routing, DNS, IPs, Ports are the way to go. -- LF Although not really related to CentOS, I do have some thoughts on this. I used to work in the IT department of a public library. One of the big considerations at a library is patron privacy. We went to great lengths to NOT record what web sites were visited by our patrons. We also deny requests from anyone to find out what books a patron has checked out. I bet, your servers never embedded links to anything external. If it is external link, it is requested to open in new browser window. No part of the page should need external (not living on our server) content. That was the way we did it since forever. It sounds like I will have to fight soon against "google-analytics" glued into each page of our websites. It is amazing that people who have no knowledge rule technical aspects of IT in many places... Valeri The library is required by law to provide web filtering, mainly because we have public-use computers which are used by children. For http this is easy. Https is, as this discussion reveals, a different animal. We started to set up a filter which would run directly on our router (Juniper SRX-series) using EWF software. It quickly became apparent that any kind of https filtering requires a MITM attack. We were basically decrypting the patron's web traffic on our router, then encrypting it again with a different cert. When we realized what it would take, we had a HUGE internal discussion about how to proceed. Yeah, the lawyers were all over it! In the end we decided to not attempt to filter https traffic except by whatever was not encrypted. Basically that means web site names. Our test case was the Playboy web site. They are available on https, but they do not automatically redirect http to https. If you open playboy [dot] com with no protocol specified, it goes over http. Our existing filter blocked that. However, if you open https[colon]// playboy [dot] com, it goes straight in. The traffic never goes over http, so the filter on the router never processes it. Security by obscurity ... It was the best we could do without violating our own policies on patron privacy. -- Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Squid and HTTPS interception on CentOS 7 ?
On 03/05/18 07:23, Leon Fauster wrote: Am 05.03.2018 um 13:04 schrieb Nicolas Kovacs: Le 28/02/2018 à 22:23, Nicolas Kovacs a écrit : So far, I've only been able to filter HTTP. Do any of you do transparent HTTPS filtering ? Any suggestions, advice, caveats, do's and don'ts ? After a week of trial and error, transparent HTTPS filtering works perfectly. I wrote a detailed blog article about it. https://blog.microlinux.fr/squid-https-centos/ I wonder if this works with all https enabled sites? Chrome has capabilities hardcoded to check google certificates. Google, huh ;-( see below... Certificate Transparency, HTTP Public Key Pinning, CAA DNS are also supporting the end node to identify MITM. I hope that such setup will be unpractical in the near future. About your legal requirements; Weighing is what courts daily do. So, such requirements are not asking you to destroy the integrity and confidentiality >95% of users activity. Blocking Routing, DNS, IPs, Ports are the way to go. I would add avoiding google and all google products by all means to the above list ;-) valeri -- LF ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos -- Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Squid and HTTPS interception on CentOS 7 ?
The certificate should have *CA:true* set for act a CA for dynamic signing certificates by Squid. Most probably, Let's Encrypt will ignore this constraint in CSR. 2018-03-05 12:33 GMT-03:00 Chris Adams: > Once upon a time, Valeri Galtsev said: > > https://letsencrypt.org/ > > > > - you will have to run web server to have certificate signed by > > them > > Not necessarily - we do most of our Let's Encrypt validation with DNS > rather than HTTP. > -- > Chris Adams > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos > ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Squid and HTTPS interception on CentOS 7 ?
Once upon a time, Valeri Galtsevsaid: > https://letsencrypt.org/ > > - you will have to run web server to have certificate signed by > them Not necessarily - we do most of our Let's Encrypt validation with DNS rather than HTTP. -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Squid and HTTPS interception on CentOS 7 ?
On 03/05/18 06:34, Nicolas Kovacs wrote: Le 05/03/2018 à 13:30, Nux! a écrit : You could probably just drop your CA cert in the filesystem and run a couple of commands to get it imported, rather than having to import the CA in the browsers individually. You could probably deliver it via yum/rpm or better yet, ansible or even some shell script. I will have to use this in environments with mainly Windows, OS X and iOS clients. I'm still thinking about how to do this, but I guess I'll just setup a local web page on the server, with a link to download the certificate file and short instructions on how to install it on the most common browsers (Internet Explorer, Edge, Firefox, Chrome, Safari, ...). Sorry, I missed the beginning of this thread. This sounds to me like running one's own Certification Authority. I did that a while ago for over a decade. However, these days one may consider https://letsencrypt.org/ - you will have to run web server to have certificate signed by them, but pointing other services to use that same certificate/secret key pair will work. Just my $0.02 Valeri Niki -- Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Squid and HTTPS interception on CentOS 7 ?
Starting with version 3.5 of Squid, was introduced a new feature named "*SslBump Peek and Splice*". With this functionality, Squid is able to intercept HTTPS traffic transparently (with exceptions, of course). This manner, Squid, with spike, is able to logging HTTPS traffic and apply directives like dstdomain on HTTPS traffic without need of a auto-signed CA. This resource of Squid is the same functionality available on apliances like Sonicwall, Fortigate, Checkpoint, and etc. A example of config: http_port 80 intercept https_port 443 intercept ssl-bump cert=/etc/squid3/ssl/ca/intermediate/certs/wilcard.pem key=/etc/squid3/ssl/ca/intermediate/private/wildcard.key generate-host-certificates=off version=4 options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE cache_log /var/log/squid3/cache.log access_log daemon:/var/log/squid3/access.log squid netdb_filename stdio:/var/log/squid3/netdb.state sslcrtd_program /usr/libexec/ssl_crtd -s /var/log/squid3/ssl_db -M 4MB sslcrtd_children 1 startup=1 idle=1 cache_effective_user proxy cache_effective_group proxy pinger_enable off dns_v4_first on acl HTTPS dstdomain "/etc/squid3/https" acl BLOCK url_regex "(torrent)|sex(y|o)" cache deny all ssl_bump bump HTTPS ssl_bump splice all http_access deny BLOCK http_access allow all PS: the use of "ssl-bump" is only to satisfy de Squid parser. Best clarifications: https://wiki.squid-cache.org/Features/SslPeekAndSplice Att, 2018-03-05 11:34 GMT-03:00 Bill Gee: > > On Monday, March 5, 2018 7:23:53 AM CST Leon Fauster wrote: > > Am 05.03.2018 um 13:04 schrieb Nicolas Kovacs : > > > Le 28/02/2018 à 22:23, Nicolas Kovacs a écrit : > > >> So far, I've only been able to filter HTTP. > > >> > > >> Do any of you do transparent HTTPS filtering ? Any suggestions, > > >> advice, caveats, do's and don'ts ? > > > > > > After a week of trial and error, transparent HTTPS filtering works > > > perfectly. I wrote a detailed blog article about it. > > > > > > https://blog.microlinux.fr/squid-https-centos/ > > > > I wonder if this works with all https enabled sites? Chrome has > > capabilities hardcoded to check google certificates. Certificate > > Transparency, HTTP Public Key Pinning, CAA DNS are also supporting > > the end node to identify MITM. I hope that such setup will be unpractical > > in the near future. > > > > About your legal requirements; Weighing is what courts daily do. So, > > such requirements are not asking you to destroy the integrity and > > confidentiality >95% of users activity. Blocking Routing, DNS, IPs, > > Ports are the way to go. > > > > -- > > LF > > Although not really related to CentOS, I do have some thoughts on this. I > used to work in the IT department of a public library. One of the big > considerations at a library is patron privacy. We went to great lengths to > NOT record what web sites were visited by our patrons. We also deny > requests > from anyone to find out what books a patron has checked out. > > The library is required by law to provide web filtering, mainly because we > have public-use computers which are used by children. For http this is > easy. > Https is, as this discussion reveals, a different animal. > > We started to set up a filter which would run directly on our router > (Juniper > SRX-series) using EWF software. It quickly became apparent that any kind > of > https filtering requires a MITM attack. We were basically decrypting the > patron's web traffic on our router, then encrypting it again with a > different > cert. > > When we realized what it would take, we had a HUGE internal discussion > about > how to proceed. Yeah, the lawyers were all over it! In the end we > decided to > not attempt to filter https traffic except by whatever was not encrypted. > Basically that means web site names. > > Our test case was the Playboy web site. They are available on https, but > they > do not automatically redirect http to https. If you open playboy [dot] com > with no protocol specified, it goes over http. Our existing filter blocked > that. However, if you open https[colon]// playboy [dot] com, it goes > straight > in. The traffic never goes over http, so the filter on the router never > processes it. > > Security by obscurity ... It was the best we could do without violating > our > own policies on patron privacy. > > -- > Bill Gee > > > > > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos > ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Squid and HTTPS interception on CentOS 7 ?
On Monday, March 5, 2018 7:23:53 AM CST Leon Fauster wrote: > Am 05.03.2018 um 13:04 schrieb Nicolas Kovacs: > > Le 28/02/2018 à 22:23, Nicolas Kovacs a écrit : > >> So far, I've only been able to filter HTTP. > >> > >> Do any of you do transparent HTTPS filtering ? Any suggestions, > >> advice, caveats, do's and don'ts ? > > > > After a week of trial and error, transparent HTTPS filtering works > > perfectly. I wrote a detailed blog article about it. > > > > https://blog.microlinux.fr/squid-https-centos/ > > I wonder if this works with all https enabled sites? Chrome has > capabilities hardcoded to check google certificates. Certificate > Transparency, HTTP Public Key Pinning, CAA DNS are also supporting > the end node to identify MITM. I hope that such setup will be unpractical > in the near future. > > About your legal requirements; Weighing is what courts daily do. So, > such requirements are not asking you to destroy the integrity and > confidentiality >95% of users activity. Blocking Routing, DNS, IPs, > Ports are the way to go. > > -- > LF Although not really related to CentOS, I do have some thoughts on this. I used to work in the IT department of a public library. One of the big considerations at a library is patron privacy. We went to great lengths to NOT record what web sites were visited by our patrons. We also deny requests from anyone to find out what books a patron has checked out. The library is required by law to provide web filtering, mainly because we have public-use computers which are used by children. For http this is easy. Https is, as this discussion reveals, a different animal. We started to set up a filter which would run directly on our router (Juniper SRX-series) using EWF software. It quickly became apparent that any kind of https filtering requires a MITM attack. We were basically decrypting the patron's web traffic on our router, then encrypting it again with a different cert. When we realized what it would take, we had a HUGE internal discussion about how to proceed. Yeah, the lawyers were all over it! In the end we decided to not attempt to filter https traffic except by whatever was not encrypted. Basically that means web site names. Our test case was the Playboy web site. They are available on https, but they do not automatically redirect http to https. If you open playboy [dot] com with no protocol specified, it goes over http. Our existing filter blocked that. However, if you open https[colon]// playboy [dot] com, it goes straight in. The traffic never goes over http, so the filter on the router never processes it. Security by obscurity ... It was the best we could do without violating our own policies on patron privacy. -- Bill Gee ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Squid and HTTPS interception on CentOS 7 ?
Am 05.03.2018 um 13:04 schrieb Nicolas Kovacs: > > Le 28/02/2018 à 22:23, Nicolas Kovacs a écrit : >> So far, I've only been able to filter HTTP. >> >> Do any of you do transparent HTTPS filtering ? Any suggestions, >> advice, caveats, do's and don'ts ? > > After a week of trial and error, transparent HTTPS filtering works > perfectly. I wrote a detailed blog article about it. > > https://blog.microlinux.fr/squid-https-centos/ I wonder if this works with all https enabled sites? Chrome has capabilities hardcoded to check google certificates. Certificate Transparency, HTTP Public Key Pinning, CAA DNS are also supporting the end node to identify MITM. I hope that such setup will be unpractical in the near future. About your legal requirements; Weighing is what courts daily do. So, such requirements are not asking you to destroy the integrity and confidentiality >95% of users activity. Blocking Routing, DNS, IPs, Ports are the way to go. -- LF ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Addind kmail to EPEL
Le 04/03/2018 à 02:45, Yves Bellefeuille a écrit : > I finally decided to move from CentOS 6 to CentOS 7, but was surprised > to see that kmail is no longer included: Red Hat deliberately decided > to omit it. Probably because it's too buggy. I've been using Kmail for a few years under KDE 3.x, but after that, the KDE developers simply couldn't get their act together, and every new Kmail version got worse than the previous one. Cheers from a KDE + Thunderbird user. :o) -- Microlinux - Solutions informatiques durables 7, place de l'église - 30730 Montpezat Site : https://www.microlinux.fr Blog : https://blog.microlinux.fr Mail : i...@microlinux.fr Tél. : 04 66 63 10 32 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Squid and HTTPS interception on CentOS 7 ?
Le 05/03/2018 à 13:30, Nux! a écrit : > You could probably just drop your CA cert in the filesystem and run a > couple of commands to get it imported, rather than having to import > the CA in the browsers individually. You could probably deliver it > via yum/rpm or better yet, ansible or even some shell script. I will have to use this in environments with mainly Windows, OS X and iOS clients. I'm still thinking about how to do this, but I guess I'll just setup a local web page on the server, with a link to download the certificate file and short instructions on how to install it on the most common browsers (Internet Explorer, Edge, Firefox, Chrome, Safari, ...). Niki -- Microlinux - Solutions informatiques durables 7, place de l'église - 30730 Montpezat Site : https://www.microlinux.fr Blog : https://blog.microlinux.fr Mail : i...@microlinux.fr Tél. : 04 66 63 10 32 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Squid and HTTPS interception on CentOS 7 ?
Nice, thanks for sharing. You could probably just drop your CA cert in the filesystem and run a couple of commands to get it imported, rather than having to import the CA in the browsers individually. You could probably deliver it via yum/rpm or better yet, ansible or even some shell script. -- Sent from the Delta quadrant using Borg technology! Nux! www.nux.ro - Original Message - > From: "Nicolas Kovacs"> To: "CentOS mailing list" > Sent: Monday, 5 March, 2018 12:04:59 > Subject: Re: [CentOS] Squid and HTTPS interception on CentOS 7 ? > Le 28/02/2018 à 22:23, Nicolas Kovacs a écrit : >> So far, I've only been able to filter HTTP. >> >> Do any of you do transparent HTTPS filtering ? Any suggestions, >> advice, caveats, do's and don'ts ? > > After a week of trial and error, transparent HTTPS filtering works > perfectly. I wrote a detailed blog article about it. > > https://blog.microlinux.fr/squid-https-centos/ > > Cheers, > > Niki > > -- > Microlinux - Solutions informatiques durables > 7, place de l'église - 30730 Montpezat > Site : https://www.microlinux.fr > Blog : https://blog.microlinux.fr > Mail : i...@microlinux.fr > Tél. : 04 66 63 10 32 > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Squid and HTTPS interception on CentOS 7 ?
Le 28/02/2018 à 22:23, Nicolas Kovacs a écrit : > So far, I've only been able to filter HTTP. > > Do any of you do transparent HTTPS filtering ? Any suggestions, > advice, caveats, do's and don'ts ? After a week of trial and error, transparent HTTPS filtering works perfectly. I wrote a detailed blog article about it. https://blog.microlinux.fr/squid-https-centos/ Cheers, Niki -- Microlinux - Solutions informatiques durables 7, place de l'église - 30730 Montpezat Site : https://www.microlinux.fr Blog : https://blog.microlinux.fr Mail : i...@microlinux.fr Tél. : 04 66 63 10 32 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos