Re: [squid-users] Settings for Bank & Health
On 13.03.18 20:37, Al Grant wrote: I have been told it would be good practice to respect users privacy when it comes to banking and health websites. I am not sure whether this means not logging those websites, not caching them or something else? On Tue, Mar 13, 2018 at 9:06 PM, Matus UHLAR - fantomas wrote: in fact, both. However it's not a problem unless you bump SSL connections. without it, you just see CONNECT requests in proxy logs, which doesn't violate privacy. On 13.03.18 21:17, Al Grant wrote: So would you see all the URLs for a given site in the logs? No. CONNECT only provides host/IP and port, nothing more. Bumping SSL connections means decrypting the traffic and removing privacy. (SSL is designed for end-to-end encryption and valication). Bumping decrypts the connection, provide own certificates, and make own SSL connection to the web sites. Users will not see the green bar commonly seen at banking sites, coming from extended validation certificate. I don't see the need to go as far as filtering traffic based on content. However I would like to be able to view the URLs visited. viewing URLs in HTTPS connections requires decrypting SSL. decrypting SSL removes privacy and brings problems. don't decrypt unless you really have to. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "To Boot or not to Boot, that's the question." [WD1270 Caviar] ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Settings for Bank & Health
On Tue, Mar 13, 2018 at 9:06 PM, Matus UHLAR - fantomas wrote: > On 13.03.18 20:37, Al Grant wrote: > >> I have been told it would be good practice to respect users privacy when >> it >> comes to banking and health websites. >> > > it's good practice respect users privacy when it comes to all websites. > > I am not sure whether this means not logging those websites, not caching >> them or something else? >> > > in fact, both. However it's not a problem unless you bump SSL connections. > without it, you just see CONNECT requests in proxy logs, which doesn't > violate privacy. > > So would you see all the URLs for a given site in the logs? > . >> > > Bumping SSL connections means decrypting the traffic and removing privacy. > (SSL is designed for end-to-end encryption and valication). > > Bumping decrypts the connection, provide own certificates, and make own SSL > connection to the web sites. > > Users will not see the green bar commonly seen at banking sites, coming > from > extended validation certificate. > > I don't see the need to go as far as filtering traffic based on content. However I would like to be able to view the URLs visited. Thanks for the explanation. -- "Beat it punk!" - Clint Eastwood ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Settings for Bank & Health
On 13.03.18 20:37, Al Grant wrote: I have been told it would be good practice to respect users privacy when it comes to banking and health websites. it's good practice respect users privacy when it comes to all websites. I am not sure whether this means not logging those websites, not caching them or something else? in fact, both. However it's not a problem unless you bump SSL connections. without it, you just see CONNECT requests in proxy logs, which doesn't violate privacy. (at least not much, you know where user connects but that's all). in some countries you are obligated to save the logs for some time. Can someone please elaborate, and perhaps how it would be achieved? I am currently running a non transparent proxy with wpad. Bumping SSL connections means decrypting the traffic and removing privacy. (SSL is designed for end-to-end encryption and valication). Bumping decrypts the connection, provide own certificates, and make own SSL connection to the web sites. Users will not see the green bar commonly seen at banking sites, coming from extended validation certificate. if you do ssl bumping, you must be very careful - because of both legal and technical issues. If you don't, you should have no problem. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Linux IS user friendly, it's just selective who its friends are... ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Settings for Bank & Health
Hi, I have been told it would be good practice to respect users privacy when it comes to banking and health websites. I am not sure whether this means not logging those websites, not caching them or something else? Can someone please elaborate, and perhaps how it would be achieved? I am currently running a non transparent proxy with wpad. Thanks AG -- "Beat it punk!" - Clint Eastwood ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users