Re: Redirect HTTPS with Squid3+Squidguard

To: debian-user@lists.debian.org
Subject: Re: Redirect HTTPS with Squid3+Squidguard
From: linux-michael-i@abwesend.de
Date: Mon, 23 Mar 2015 09:33:01 +0100
Message-id: <[🔎] trinity-16611559-8bb9-4e79-9f61-9b027df65c5b-1427099581524@3capp-gmx-bs01>
In-reply-to: <[🔎] kbfqc92rodv8@mids.svenhartge.de>
References: <[🔎] 550F1FB8.1030309@abwesend.de> <[🔎] jbfpujsrodv8@mids.svenhartge.de> <[🔎] 20150322161031459610300.NoCcsPlease@bob.proulx.com>, <[🔎] kbfqc92rodv8@mids.svenhartge.de>

Hello Sven and the other,

thanks for help.

I thought there is a simple and secure way to redirect to an 'This Site has been blocked' Page for HTTP and HTTPS. But when I must destroy the safety from HTTPS this isn't an option. 

It is a nice to have feature in my project, so the user can see this site has been blocked and there are no connection troubles (the browser error page).

Greetings,
Michael

> "Sven Hartge" <sven@svenhartge.de> wrote:
> Bob Proulx <bob@proulx.com> wrote:
> > Sven Hartge wrote:
> >> Michael I. wrote:
> 
> >>> Is there really no way to redirect https request to an errorpage
> >>> with squid3+squidguard?
> 
> >> Long answer: The only way is to setup a transparent proxy,
> >> intercepting any outbound connection and terminating the encryption
> >> on the proxy. You will need a fake CA certificate with which the
> >> proxy is able to create fake server certificates so the client still
> >> thinks it is connected to the real server.
> >> 
> >> And here it gets a) dangerous and b) expensive.
> 
> > It is extremely bad, bad, bad, as well as dangerous.  I haven't been
> > following the news in great detail but read all about Komodia's recent
> > news articles.  Komodia's cracking tools are used in Superfish and
> > Lenovo was in trouble for pre-installing Superfish.
> 
> There are network policy/security appliances in the enterprise world,
> which implement a scanning proxy for HTTPS. They come with a either a
> wildcard certificate for * (signed by a valid CA!) or a fake CA
> certificate, which you install onto your computers to enable the
> appliance to function.
> 
> This is of course very dangerous if you don't know what you are doing,
> but sometimes there are no other options (for example HIPAA, SOX, PCI,
> ...) if you have to absolutley control the flow and content of data.
> 
> But then, if you are in the area where you need such
> MitM-Filter-SSL-breaking-proxies, then you already know of how to do it
> and when to do it.
>
> If you don't know how to do it and when to do it, chances are, you don't
> need it.
> 
> Guessing from Michaels TLD, he is German. This means there are several
> other things to consider, based on the environment this is done in. If
> this is for a company or govermental agency, the Betriebsrat (works
> council) or the Personlrat and the local Datenschutzbeauftragter (data
> security official) has to be involved.
> 
> Grüße,
> Sven.
> 
> -- 
> Sigmentation fault. Core dumped.
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org 
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> Archive: [🔎] kbfqc92rodv8@mids.svenhartge.de">https://lists.debian.org/[🔎] kbfqc92rodv8@mids.svenhartge.de
> 
>

Reply to:

Follow-Ups:
- Re: Redirect HTTPS with Squid3+Squidguard
  - From: Liam O'Toole <liam.p.otoole@gmail.com>

References:
- Redirect HTTPS with Squid3+Squidguard
  - From: "Michael I." <linux-michael-i@abwesend.de>
- Re: Redirect HTTPS with Squid3+Squidguard
  - From: Sven Hartge <sven@svenhartge.de>
- Re: Redirect HTTPS with Squid3+Squidguard
  - From: Bob Proulx <bob@proulx.com>
- Re: Redirect HTTPS with Squid3+Squidguard
  - From: Sven Hartge <sven@svenhartge.de>

Prev by Date: Problem with accessing external USB HDD
Next by Date: Strange errors from SELinux when long listing directory (ls -l)
Previous by thread: Re: Redirect HTTPS with Squid3+Squidguard
Next by thread: Re: Redirect HTTPS with Squid3+Squidguard
Index(es):
- Date
- Thread