On Thu, 5 Aug 2004, Michael Gale wrote:
So to filter hotmail attachment for viruses to secure the network you create a fake CA for all HTTPS request and tell every browser to trust this CA.
Yes.
You have just screwed over all HTTPS security -- with all the IE bugs with regards to redirection, fake urls in the address bar and everything.
Yes, but intentionally so.
You have just made it 100 times easier for a hacker to exploit credit card information and banking information from all of your internal employees I would think.
If you allow access to such sites yes.
Most entities looking into this kind of filtering of https sites do not at all allow personal banking.
Unless you are having squid verify ever certificate plus the url it is displaying to the client and so on.
Ofcourse Squid must do this. This is why I said the user has no control on the policy of what quality of the server certificates to accept, it is all up to the policy defined in the proxy.
We you think about it if you want to make the network secure why allow hotmail access ? Do they need it for work ?? I would think not.
Problem is how to find and block all of them...
Regards Henrik
