[squid-users] Re: SSL and ACL, anyone?

From: Toni Mueller <[email protected]>
Date: Wed, 5 Jul 2006 22:31:43 +0200

Hej Henrik,

On Wed, 05.07.2006 at 20:11:18 +0200, Henrik Nordstrom <henrik@henriknordstrom.net> wrote:
> With SSL it's more than a conflict. SSL is explicitly designed to not
> allow breaking end-to-end. Meaning that breaking end-to-end is only
> theoretically possible if the client is configured to trust the proxy as
> an SSL CA. Additionally, this will cripple the SSL protocol making it
> impossible to use client certificate authentication and also makes it

thank you for this good explanation!

This begs the question what the commercial pack is doing when
clamouring about content security, however. I thought they were
claiming to look also inside encrypted traffic to enforce policies.

As it stands, usage using client certificates for authentication is
probably not mandatory in many cases (eg. when using a random shop
site).

> impossible for the user/browser to properly verify the requested server
> (it has to trust the proxy to do all verifications correctly...)

Yes, but the client has to trust the proxy for non-encrypted traffic
anyway. Ie, if I want to go to www.ebay.com and get redirected by the
proxy to vvv.ebay.com (just a contrived example), it'll be a lot easier
to fool me into going to the wrong encrypted site thereafter, too.

Mvh,
--Toni++
Received on Wed Jul 05 2006 - 14:31:46 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Aug 01 2006 - 12:00:01 MDT