[ale] Linux UTM

Boris Borisov bugyatl at gmail.com
Fri Apr 18 19:10:42 EDT 2014


Is absolutely for personal use. (actually preventing my kids for access to
stuff not for them). Why https! Everything is over https today (social
sites email even google search is default https). Or you can tell me if i'm
in wrong direction.


On Fri, Apr 18, 2014 at 5:50 PM, Michael H. Warfield <mhw at wittsend.com>wrote:

> On Fri, 2014-04-18 at 15:19 -0400, Boris Borisov wrote:
> > I'm trying to build UTM based on debian+dansguardian+squid. So far so
> > good everything works. But what to do about https://. Most sites today
> > are trying to use secure https even google search. How dansguardian
> > can filter content going over https? Any ideas
>
> For what purpose?  And by that I mean, what is the user environment and
> organizational requirements, and not merely "to filter https".  The
> answer to that question is very important.
>
> The goal would to have a proxy MITM the SSL connection.
>
> If it's for personal purposes, you can create your own certificate for a
> a proxy and just accept it internally.  You have a limited client set so
> that's fairly trivial.
>
> A number of very large international corporations set up their own "wild
> card certs" (certs for *) and got them signed (no doubt for vast amounts
> of money) by certain CA's.  When some of that was discovered, the
> proverbial feces hit the proverbial rapidly whirling blades and said
> CA's involved where hit with a noreaster of fecal flakes.  All that
> said, there may still be some out there or you may have an institutional
> CA installed (large outfits often do) and then the proxy has the
> wildcard cert and key.
>
> If you're not an international head banger or covert governmental TLA,
> you probably need to go with an internal CA and have your users install
> it in your root store.  That's actually not a big deal.  I have a CA
> myself for things like IPSec, OpenVPN, and all my secure E-Mail stuff.
> Nobody should install it for anything other than dealing with me but, if
> you do, anything it signs would be accepted just like anything from
> Verisign.  The deal is getting that CA installed in your root store.
> Then your users add it to their keystore and you create a wildcard cert
> for your proxy.  Some orgs this would work.  Some it would not.
>
> So it's context, purpose, and originzationally dependent.  Can you do
> it?  Yes, for some value of "can".
>
> Regards,
> Mike
> --
> Michael H. Warfield (AI4NB) | (770) 978-7061 |  mhw at WittsEnd.com
>    /\/\|=mhw=|\/\/          | (678) 463-0932 |
> http://www.wittsend.com/mhw/
>    NIC whois: MHW9          | An optimist believes we live in the best of
> all
>  PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20140418/67eb37fb/attachment.html>


More information about the Ale mailing list