Re: [squid-users] Re: SSL Traffic Monitoring

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Thu, 5 Aug 2004 18:39:23 +0200 (CEST)

On Thu, 5 Aug 2004, Michael Gale wrote:

> I understand that administration headache ... but with the IE
> vulnerabilities would have me worried. Other then that SSL filtering
> would be nice.

Part of this is to define the certificate policy of the proxy. This
obviously includes limited (if any) access to https sites having invalid
certificates.

For what it is worth, the fake CA does only need to issue certificates for
sites having a valid certificate. For other sites your could issue
self-signed certificates to alert the user that this site does not have a
valid certificate.

What need to be different in the certificate presented to the user from
the original site certificate is:

  1. The encryption key.

  2. The CA who issued the certificate on trusted certificates.

If the site certificate does not compute then it is best to issue a
self-signed certificate.

In both cases expiry date should be no further than the original site
certificate.

Regards
Henrik
Received on Thu Aug 05 2004 - 10:39:26 MDT

This archive was generated by hypermail pre-2.1.9 : Wed Sep 01 2004 - 12:00:01 MDT