[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Redirect HTTPS with Squid3+Squidguard



Michael Graham wrote:
> Reco wrote:
> > Ow. Exactly which kind of consumer-grade hardware comes with SSL bump
> > preinstalled? That's very interesting to me as I like know which
> > hardware to avoid in the future.
> 
> It's way more common than you seem to think. CERT recently did a blog post
> about it and it contains a list of both hardware vendors (like Bloxx and
> bluecoat) as well as commercial and free software.
> 
> http://www.cert.org/blogs/certcc/post.cfm?EntryID=221
> 
> Basically if you're selling a web filter or similar security device, you
> let admins bump SSL.

There are certainly many products that one can buy that do SSL
inspection.  No one is saying otherwise.  That wasn't the question.
But are any of those commonly used consumer devices?

If someone walks into Fries or Best Buy and spends less than $100 for
a home firewall router such as a Linksys, Netgear, D-Link then I doubt
it is going to crack open SSL.  I doubt they do because doing so would
require additional CAs to be installed on user's tablets and other
systems downstream and that requires too much support and
hand-holding.

Most users would be immediately confused, would consider the device
broken, would return it without ever knowing that were making the
right decision of avoiding it but without ever understanding the
details.  Therefore consumer devices aren't going to go there.

> Given how easy it is for those same admins to push the fake SSL CAs out
> over active directory group policy it's pretty much transparent to most
> naive users who don't understand the difference between https and http
> never mind trying to explain a MITM proxy with a fake root CA!

Agreed in the corporate environments.  They have control over the
users equipment.  They often require and issue employees with company
laptops.  For that type of environment they can do anything.

The warning is clear.  Don't use your company laptop for your non-work
anything.  It isn't secure.  Use your own computer, laptop, tablet,
phone for your banking and anything that needs security.

Bob

Attachment: signature.asc
Description: Digital signature


Reply to: