Public or private CA, the issue will persist.
On Nov 3, 2017 8:39 AM, "Roberto Carna" wrote:
> OK Jon, thanks for your time and explanation.
>
> So a last qustion please: now I put in Squid of pfSense a private CA
> certificate...is it the same if I put a public CA certificate? Will I
> experience the same HTTPS behaviour related to Chrome and Firefox?
>
> Thanks a lot again.
>
> ROBERTO
>
> 2017-11-02 20:47 GMT-03:00 Jon Gerdes :
> > Roberto
> >
> > NFF: Product working as designed
> >
> > When you use splice, you are doing a Man In The Middle (MitM) attack on
> > your own users. Chrome is a Google product and they have enabled https
> > ://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning and other things to
> > detect this sort of thing.
> >
> > This could be seen as an abuse by Google https://www.troyhunt.com/bypas
> > sing-browser-security-warnings-with-pseudo-password-fields/ or you
> > could consider that end users should have an expectation of privacy by
> > default. For example, what if your users do on line banking through
> > your proxy? You could easily grab usernames and passwords and other
> > personal details or worse if you abuse the trust that SSL/TLS should
> > allow.
> >
> > Think very hard about the implications of attempting to break the
> > contract that SSL/TLS is designed to provide - end to end encryption
> > with no tampering and guaranteed privacy.
> >
> > Cheers
> > Jon
> >
> >
> >
> >
> > On Thu, 2017-11-02 at 12:00 -0300, Roberto Carna wrote:
> >> People, I have pfSEnse 2.4 with Squid and Squidguard.
> >>
> >> I enable HTTP transparent proxy and SSL filtering with Splice All.
> >>
> >> From our Android cell phones, if we use Firefox TO NAVIGATE
> >> everything
> >> is OK, but if we use Chrome we can't go to Google and some other
> >> HTTPS
> >> sites.
> >>
> >> We reviewed firewall rules, NAT and denied target categories and
> >> everything seems OK.
> >>
> >> What can be the problem with Chrome ???
> >>
> >> Thanks a lot,
> >>
> >> ROBERTO
> >> ___
> >> pfSense mailing list
> >> https://lists.pfsense.org/mailman/listinfo/list
> >> Support the project with Gold! https://pfsense.org/gold
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold