Mailinglist Archive: opensuse (1355 mails)

< Previous Next >
[opensuse] Re: opensuse mailing list site ridiculousness
Carlos E. R. wrote:
On 2018-06-17 11:01, Per Jessen wrote:
Carlos E. R. wrote:

On 2018-06-17 06:45, L A Walsh wrote:

Thank-you google for making the need for decryption a standard
such that even I go through the trouble so I can continue to cache
traffic.
Ah, caches stop working. Good point.
Not entirely, I think squid has been doing some work:
https://wiki.squid-cache.org/Features/SslBump

It is an interesting point, isn't?

We use https to be secure when talking to the bank, yet it is possibly
to put a proxy server that deciphers the traffic and provides a cache.

Thus protecting the web archive with https is moot, the evil government
can still read what we read ;-P
-----
Isn't that what I was saying in my last message (from
yesterday)? SslBump provides the decryption -- it's basically
a WITM setup --- `cept I'm the Woman-In-The-Middle. That's
what I was talking about - now I decrypt so instead of one long
'CONNECT' stream of encrypted traffic, I see the CONNECT
messages, and the individual objects within.

Making it work right, isn't trivial. You also
have to install your own root_CA's in every client's CA_certificate store (clients on Windows AND linux) as
a trusted 'root'. That's where governments and large,
well funded ISP's put their own rootCA

Per Jessen wrote:
AFAICT, the user is warned about a possible man-in-the-middle attack.
The article is quite clear about it.
---
If you setup the same cert as Trusted root and as
a web-signer, or don't install it on the client system,
then yes, you may get a message from some SW, but install
a root cert on all your client systems, then use it to create/sign on-the-fly web-certs and you shouldn't see
any messages.

Only time I saw a message is when I had _not_ installed
my cert in my clients' trusted root list.

For government or sufficient large corps, they pay to
have it inserted in the public CA_authority lists.
I mean the FBI comes along with a security letter to
some company that forces them to silently comply --
how would you know? Companies on the rootCA list,
to name a few:

BofA - do you trust them?
Equifax -- and you know how well they handle security. Government Root Cert Auth(Taiwan gov)
RSA (who has been rumored to cooperate w/CIA et al
"Go Daddy" -- nuf said.
Visa -- its everwhere they wanna be..
Verisign
Wells Fargo - remember how they screwed their customers
and got caught red-handed?
---
Those are just some more famous names,
there quite a few distributed along with standard
browser SW.

This was my point -- https everywhere is really doing
more harm than good.





--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >
Follow Ups