Re: [squid-users] Re: SSL Traffic Monitoring

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Thu, 5 Aug 2004 18:32:16 +0200 (CEST)

On Thu, 5 Aug 2004, Michael Gale wrote:

> So to filter hotmail attachment for viruses to secure the network you
> create a fake CA for all HTTPS request and tell every browser to trust
> this CA.

Yes.

> You have just screwed over all HTTPS security -- with all the IE bugs
> with regards to redirection, fake urls in the address bar and
> everything.

Yes, but intentionally so.

> You have just made it 100 times easier for a hacker to exploit credit
> card information and banking information from all of your internal
> employees I would think.

If you allow access to such sites yes.

Most entities looking into this kind of filtering of https sites do not
at all allow personal banking.

> Unless you are having squid verify ever certificate plus the url it is
> displaying to the client and so on.

Ofcourse Squid must do this. This is why I said the user has no control on
the policy of what quality of the server certificates to accept, it is all
up to the policy defined in the proxy.

> We you think about it if you want to make the network secure why allow
> hotmail access ? Do they need it for work ?? I would think not.

Problem is how to find and block all of them...

Regards
Henrik
Received on Thu Aug 05 2004 - 10:32:19 MDT

This archive was generated by hypermail pre-2.1.9 : Wed Sep 01 2004 - 12:00:01 MDT