[ale] Linux UTM

Michael H. Warfield mhw at WittsEnd.com
Fri Apr 18 21:05:19 EDT 2014 

On Fri, 2014-04-18 at 19:10 -0400, Boris Borisov wrote:
> Is absolutely for personal use. (actually preventing my kids for
> access to stuff not for them). Why https! Everything is over https
> today (social sites email even google search is default https). Or you
> can tell me if i'm in wrong direction.

Oh, I understand why https.  The question was really the scope, which
you've stated - personal.

You can do this, it just means setting up a proxy with a certificate
which you then have to accept in your browser.  There may be some loss
of control over verification of other certificates, since it's then the
proxy doing the verification.  I haven't actually set one up for this
but I know it can be done.  You just don't need the level of setup that
a big corporation might deploy where they would use custom CA's and what
not.

Regards,
Mike
> 
> On Fri, Apr 18, 2014 at 5:50 PM, Michael H. Warfield
> <mhw at wittsend.com> wrote:
>         On Fri, 2014-04-18 at 15:19 -0400, Boris Borisov wrote:
>         > I'm trying to build UTM based on debian+dansguardian+squid.
>         So far so
>         > good everything works. But what to do about https://. Most
>         sites today
>         > are trying to use secure https even google search. How
>         dansguardian
>         > can filter content going over https? Any ideas
>         
>         
>         For what purpose?  And by that I mean, what is the user
>         environment and
>         organizational requirements, and not merely "to filter
>         https".  The
>         answer to that question is very important.
>         
>         The goal would to have a proxy MITM the SSL connection.
>         
>         If it's for personal purposes, you can create your own
>         certificate for a
>         a proxy and just accept it internally.  You have a limited
>         client set so
>         that's fairly trivial.
>         
>         A number of very large international corporations set up their
>         own "wild
>         card certs" (certs for *) and got them signed (no doubt for
>         vast amounts
>         of money) by certain CA's.  When some of that was discovered,
>         the
>         proverbial feces hit the proverbial rapidly whirling blades
>         and said
>         CA's involved where hit with a noreaster of fecal flakes.  All
>         that
>         said, there may still be some out there or you may have an
>         institutional
>         CA installed (large outfits often do) and then the proxy has
>         the
>         wildcard cert and key.
>         
>         If you're not an international head banger or covert
>         governmental TLA,
>         you probably need to go with an internal CA and have your
>         users install
>         it in your root store.  That's actually not a big deal.  I
>         have a CA
>         myself for things like IPSec, OpenVPN, and all my secure
>         E-Mail stuff.
>         Nobody should install it for anything other than dealing with
>         me but, if
>         you do, anything it signs would be accepted just like anything
>         from
>         Verisign.  The deal is getting that CA installed in your root
>         store.
>         Then your users add it to their keystore and you create a
>         wildcard cert
>         for your proxy.  Some orgs this would work.  Some it would
>         not.
>         
>         So it's context, purpose, and originzationally dependent.  Can
>         you do
>         it?  Yes, for some value of "can".
>         
>         Regards,
>         Mike
>         --
>         Michael H. Warfield (AI4NB) | (770) 978-7061 |
>          mhw at WittsEnd.com
>            /\/\|=mhw=|\/\/          | (678) 463-0932 |
>          http://www.wittsend.com/mhw/
>            NIC whois: MHW9          | An optimist believes we live in
>         the best of all
>          PGP Key: 0x674627FF        | possible worlds.  A pessimist is
>         sure of it!
>         
>         
>         _______________________________________________
>         Ale mailing list
>         Ale at ale.org
>         http://mail.ale.org/mailman/listinfo/ale
>         See JOBS, ANNOUNCE and SCHOOLS lists at
>         http://mail.ale.org/mailman/listinfo
>         
> 
> 
> 
> -- 
> This message has been scanned for viruses and 
> dangerous content by MailScanner, and is 
> believed to be clean.

-- 
Michael H. Warfield (AI4NB) | (770) 978-7061 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
URL: <http://mail.ale.org/pipermail/ale/attachments/20140418/fb71ac34/attachment.sig>

More information about the Ale mailing list