On Wed, 4 Aug 2004, McDonald, Rob wrote:
> I am looking to start caching SSL traffic, so I can make the content conform
> to company HR policies.
>
> There are commercial products that do this.
>
> I was wondering what the Squid crowd was doing for this issue?
Generally HTTPS traffic can not be cached due to the encryption.
Technically it is possible to implement a decrypting proxy using spoofed
server certificates issued by the proxy, but this has not yet been
implemented in Squid. The technical drawbacks from doing this is
- End-to-end is violated, making it impossible to use/access sites
requiring client side SSL certificates for authentication.
- User no longer is given the choice of trusting or denying access to
sites not having a valid certificate. The company policy set in the proxy
applies to all.
- User no longer can inspect the servers certificate to determine if the
site is trustworthy or not.
- Not yet implemented in Squid, so to do this it first needs to be
implemented in the Squid code.
If you want to discuss how this may be implemented in Squid please contact
squid-dev@squid-cache.org.
Regards
Henrik
Received on Wed Aug 04 2004 - 16:08:32 MDT
This archive was generated by hypermail pre-2.1.9 : Wed Sep 01 2004 - 12:00:01 MDT