Re: [squid-users] SSL Bump and dynamic SSL generation

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Mon, 12 May 2014 16:39:06 +1200

On 12/05/2014 9:42 a.m., Tom Holder wrote:
> Thanks for your help Walter, problem is, which I wasn't too clear
> about, site1.com was just an example. It could be any site that I
> don't previously know the address for.
>
> Therefore, the only thing I can think of is to dynamically generate a
> self-signed cert.

One of the built-in problems with forgery is that one must have an
original to work from in order to get even a vague resemblence of
correctness. Don't fool yourself into thinking SSL-bump is anything
other than high-tech forgery of the website ownser security credentials.

OR ... with a blind individual doing the checking it does not matter.

(Un)luckily the system design for SSL and TLS as widely used today
places a huge blindfold (the trusted CA set) on the client software. So
all one has to do is install the signing CA for the forged certificates
as one of those CA and most anything becomes possible.
 ... check carefully the legalities of doing this before doing anything.
In some places even experimenting is a criminal offence.

Amos
Received on Mon May 12 2014 - 04:39:12 MDT

This archive was generated by hypermail 2.2.0 : Mon May 12 2014 - 12:00:05 MDT