On Friday 07 March 2003 09.13, Christoph Haas wrote: > On Fri, Mar 07, 2003 at 12:25:26AM +0100, Henrik Nordstrom wrote: > > You can always use IDS tools like snort and the like to detect > > such strange traffic patterns. > > But how can snort tell one SSL connection from the other?
You can very easily tell a SSH connection from a SSL connection. > I would love to add this to my personal (empty so far) wishlist of > Squid features. On my mind Squid is a security component and > minimize as many security holes as possible. Squids primary job is HTTP proxying, not firewalling. > If Squid would offer such a man-in-the-middle feature that would > surely mean that users will always get the Squid SSL certificate > and won't be sure who is on the other peer. But that would be the > best solution IMHO. If using a SSL man-in-the-middle then clients have to put full trust into the man-in-the-middle. This includes trusting whatever certificate the man-in-the-middle presents to the user, and trusting the man-in-the-middle to verify any SSL certificates received from the origin servers, and also trusting the man-in-the-middle in providing client certificate identification to the origin servers if needed/wanted. Regards Henrik
