Henrik Nordstrom wrote:
> Joe Cooper wrote:
>
>
> >One part of the security requirement of SSL is end-to-end trust.
> >Without that, any proxy could hijack connections and 'listen in'. It
> >would require a huge endeavour to bypass those tests of end-to-end
> >security...though someone with enough resources might could manage it
> >("enough" here being defined as "pratically unlimited").
>
>
> Well, as discussed several months ago in a different thread on
> squid-users, if you are in a position to set policy you can set the
> policy for the organisation that there is no end-to-end SSL provided.
> Then make sure the CA used for the proxy certificate is trusted by your
> users browsers, and instruct your users that to reach SSL sites they
> must click away the certificate name warning.. 99.99% of the users have
> no clue what SSL certificate names is about anyway..
>
> With a little of CPU power you can even get rid of the certificate name
> warning in the above scenario, if the CA used is a private CA under the
> control of the proxy, this CA is installed as a trusted CA in your
> client browsers, and the browser is configured to use a proxy for SSL.
True, with complete control over the client machines, anything is
possible. Heck, it wouldn't be all that difficult to enforce use of an
Open Source browser modified to always accept the local cert regardless
of whether it matched the destination.
But, given a relatively secured client machine that is not owned by the
same folks administering the proxy, it is not possible without the
awareness of the client.
-- Joe Cooper <joe@swelltech.com> Web caching appliances and support. http://www.swelltech.comReceived on Sat Nov 23 2002 - 14:06:41 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:11:32 MST