On 28/07/14 05:15, Alex Crow wrote:
>
> You need to create your own CA, import the CA cert into your client
> browsers (which will get rid of the warning) and use the key to do
> dynamic cert generation in squid. Then it is possible to do either
> WPAD based browser config, or, I think (harder) do TPROXY with bumping.
>
> NB unless you can import your own CA cert into all client browsers you
> *WILL* get certificate validation failures in the browser.
>
It's also a bit harder than that. Google chrome uses cert pinning to
ensure any time Chrome goes to any Google https site, that the server
cert is signed by the CA that Google knows it was signed by. This means
MITM SSL interception is noticed by Chrome and it shrieks and screams :-)
So even with SSL interception, you need to create an "exception acl" of
sites that are not to be fiddled with - which entirely undoes the reason
for doing intercept in the first place(*) - or somehow ban the use of Chrome
I do wonder where this will end. How long before Firefox starts pinning,
then MSIE, then it gets generalized, etc?
(*) Being able to view Cloud-provider HTTPS content is actually one of
the primary reasons I want to do SSL interception. In the past year
we've seen a major uptick in malware being delivered to clients via
https (Amazon, Google, Dropbox), and being able to get an AV filter in
there would really help. Unfortunately, Google has this thing about
trying to stop nasty governments from spying on their citizens (ie both
motivations are justified, but diametrically opposed)
-- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1Received on Sun Jul 27 2014 - 22:49:14 MDT
This archive was generated by hypermail 2.2.0 : Wed Jul 30 2014 - 12:00:04 MDT