Re: [squid-users] SSL and ACL, anyone?

From: Henrik Nordstrom <henrik@dont-contact.us>
Date: Wed, 05 Jul 2006 20:11:18 +0200

ons 2006-07-05 klockan 12:46 +0200 skrev Toni Mueller:

> I see the conflict about breaking end-to-end security and invading
> privacy on one side, and a requirement to keep malware out which could
> sneak in via SSL transport.

With SSL it's more than a conflict. SSL is explicitly designed to not
allow breaking end-to-end. Meaning that breaking end-to-end is only
theoretically possible if the client is configured to trust the proxy as
an SSL CA. Additionally, this will cripple the SSL protocol making it
impossible to use client certificate authentication and also makes it
impossible for the user/browser to properly verify the requested server
(it has to trust the proxy to do all verifications correctly...)

With these limitations and drawbacks it is theoretically possible, but
not yet implemented for Squid.

Regards
Henrik

Received on Wed Jul 05 2006 - 12:11:21 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Aug 01 2006 - 12:00:01 MDT