26.03.2018 15:33, Matus UHLAR - fantomas пишет: >>>>>> Le 25/03/2018 à 13:08, Yuri a écrit : >>>>>>> The problem is not install proxy CA. The problem is identify client >>>>>>> has no proxy CA and redirect, and do it only one time. >>>>> >>>>> On 25.03.18 13:46, Nicolas Kovacs wrote: >>>>>> That is exactly the problem. And I have yet to find a solution for >>>>>> that. >>>>>> >>>>>> Current method is instruct everyone - with a printed paper in the >>>>>> office >>>>>> - to connect to proxy.company-name.lan and then get further >>>>>> instructions >>>>>> from the page. This works, but an automatic splash page would be >>>>>> more >>>>>> elegant. >>> >>>> 25.03.2018 18:42, Matus UHLAR - fantomas пишет: >>>>> impossible and unsafe. The CA must be installed before such splash >>>>> page shows >>> >>> On 25.03.18 18:44, Yuri wrote: >>>> Possible. "Safe/Unsafe" should not be discussion when SSL Bump >>>> implemented already. > >> 25.03.2018 20:32, Matus UHLAR - fantomas пишет: >>> it's possible to install splash page, but not install trusted authority >>> certificate. Using such authority on a proxy is the MITM attack and >>> whole >>> SSL has been designed to prevent this. > > On 25.03.18 21:41, Yuri wrote: >> Heh. If SSL designed - why SSL Bump itself possible? ;):-P > > it's not, you must break throught it to allow ssl-bump by installing your > CA certificate. You haven't explained how to do that automatically > although > you claim it's possible. > > Please provide evidence. Waaaaaaa. No. My misunderstanding. Of course, not automatically. > >>> without certificate, the browser complains which is a security measure >>> against this. > >> Sure. It should. > > and it does. unless you tweak it not to, which must be configured > manually > (please provide evidence if not). Exactly. I'm talking only about it. My misunderstanding. > >>>>> up and in such case the splash page is irelevant. >>>>> >>>>> If you have windows domain, you can force security policy through it. >>> >>>> In enterprise environment with AD, yes. But hardly in service >>>> provider's >>>> scenarious. >>> >>> service providers should not do this without users' permission. >>> at least not in countries where the privacy is guaranteed by law. > >> Thank you, Captain Obvious. :-) Enterprises also should get user >> agreement before do that. Especially in BYOD scenarious. >> >> All these things are well known here. The question was about technical >> implementation, and not about the well-known truisms in the field of >> security and privacy (in most cases of ephemeral). > > maybe you know that, but many of people asking for ssl bump how-to do not > know that. A bit disagree. This has been repeated so many times here and in Wiki that it's hard to imagine that someone does not already know this.
-- "C++ seems like a language suitable for firing other people's legs." ***************************** * C++20 : Bug to the future * *****************************
signature.asc
Description: OpenPGP digital signature
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
