On 30/1/18 5:22 pm, Izaac wrote:
Q: How can I automatically undermine the basis of the SSL PKI by forcing my
CA (which, by design, generates certificates for arbitrary sites and
thereby main-in-the-middles all communications) onto third parties that
happen to be traversing my network?
A: You can not -- at least not legally or ethically.
This is a good - and often overlooked - point. Ask yourself why you are
trying to do this.
You are undermining the basis of secure communications, and opening up
your users to considerable risks whenever they access online banking, or
indeed any other service that expects a secure connection to transfer
sensitive data.
Is it really worth it just to block a few undesirable websites?
Assuming you're in a corporate environment, might not a simple
'IT/Internet Policy' addendum to employees' contracts cover this far
more effectively?
Kind regards,
Chris
--
This email is made from 100% recycled electrons
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
