Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Redirect HTTPS with Squid3+Squidguard
4,618 views
Skip to first unread message
Michael I.
Mar 22, 2015, 4:10:04 PM3/22/15
to
Hello list,
I have a problem with my squid3 + squidguard. I can't redirect https
requests to an errorpage. When I request a blocked https page it always
says the site isn't available.
I searched on the internet an there it says, it is an problem with the
https protocol because https is direct an dosn't allow an redirect.
Is there really no way to redirect https request to an errorpage with
squid3+squidguard?
Thanks for help.
--
best regards
Michael I.
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Archive: https://lists.debian.org/550F1FB8...@abwesend.de
I have a problem with my squid3 + squidguard. I can't redirect https
requests to an errorpage. When I request a blocked https page it always
says the site isn't available.
I searched on the internet an there it says, it is an problem with the
https protocol because https is direct an dosn't allow an redirect.
Is there really no way to redirect https request to an errorpage with
squid3+squidguard?
Thanks for help.
--
best regards
Michael I.
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Archive: https://lists.debian.org/550F1FB8...@abwesend.de
Sven Hartge
Mar 22, 2015, 5:00:05 PM3/22/15
to
Michael I. <linux-m...@abwesend.de> wrote:
> I have a problem with my squid3 + squidguard. I can't redirect https
> requests to an errorpage. When I request a blocked https page it
> always says the site isn't available.
> I searched on the internet an there it says, it is an problem with the
> https protocol because https is direct an dosn't allow an redirect.
This is correct. A HTTP-Client doing HTTPS over a proxy like squid uses
> I have a problem with my squid3 + squidguard. I can't redirect https
> requests to an errorpage. When I request a blocked https page it
> always says the site isn't available.
> I searched on the internet an there it says, it is an problem with the
> https protocol because https is direct an dosn't allow an redirect.
CONNECT (instead of HEAD, GET or POST) which instructs the proxy to open
a TCP connectio to the specified host and port and forward any bytes
sent or received. Since inside that connction the data is encrypted, the
proxy cannot do anything special with it.
> Is there really no way to redirect https request to an errorpage with
> squid3+squidguard?
Long answer: The only way is to setup a transparent proxy, intercepting
any outbound connection and terminating the encryption on the proxy. You
will need a fake CA certificate with which the proxy is able to create
fake server certificates so the client still thinks it is connected to
the real server.
And here it gets a) dangerous and b) expensive.
Grüße,
Sven.
--
Sigmentation fault. Core dumped.
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Bob Proulx
Mar 22, 2015, 6:30:06 PM3/22/15
to
Sven Hartge wrote:
> Long answer: The only way is to setup a transparent proxy, intercepting
> any outbound connection and terminating the encryption on the proxy. You
> will need a fake CA certificate with which the proxy is able to create
> fake server certificates so the client still thinks it is connected to
> the real server.
>
> And here it gets a) dangerous and b) expensive.
It is extremely bad, bad, bad, as well as dangerous. I haven't been
following the news in great detail but read all about Komodia's recent
news articles. Komodia's cracking tools are used in Superfish and
Lenovo was in trouble for pre-installing Superfish.
They apparently do exactly the above of setting up a fake certificate
authority on the local machine and proxying https through. And made
multiple mistakes in the implementation making them a security
disaster in multiple different ways. Very bad. There are many news
articles on the debacle to read all about it. Don't do it.
Bob
> Michael I. wrote:
> > Is there really no way to redirect https request to an errorpage with
> > squid3+squidguard?
>
> Short answer: No, there is not.
+1, No there is not for the reasons Sven described.
> > Is there really no way to redirect https request to an errorpage with
> > squid3+squidguard?
>
> Short answer: No, there is not.
> Long answer: The only way is to setup a transparent proxy, intercepting
> any outbound connection and terminating the encryption on the proxy. You
> will need a fake CA certificate with which the proxy is able to create
> fake server certificates so the client still thinks it is connected to
> the real server.
>
> And here it gets a) dangerous and b) expensive.
following the news in great detail but read all about Komodia's recent
news articles. Komodia's cracking tools are used in Superfish and
Lenovo was in trouble for pre-installing Superfish.
They apparently do exactly the above of setting up a fake certificate
authority on the local machine and proxying https through. And made
multiple mistakes in the implementation making them a security
disaster in multiple different ways. Very bad. There are many news
articles on the debacle to read all about it. Don't do it.
Bob
Sven Hartge
Mar 22, 2015, 9:00:06 PM3/22/15
to
Bob Proulx <b...@proulx.com> wrote:
> Sven Hartge wrote:
>> Michael I. wrote:
>>> Is there really no way to redirect https request to an errorpage
>>> with squid3+squidguard?
> Sven Hartge wrote:
>> Michael I. wrote:
>>> Is there really no way to redirect https request to an errorpage
>>> with squid3+squidguard?
>> Long answer: The only way is to setup a transparent proxy,
>> intercepting any outbound connection and terminating the encryption
>> on the proxy. You will need a fake CA certificate with which the
>> proxy is able to create fake server certificates so the client still
>> thinks it is connected to the real server.
>>
>> And here it gets a) dangerous and b) expensive.
> It is extremely bad, bad, bad, as well as dangerous. I haven't been
> following the news in great detail but read all about Komodia's recent
> news articles. Komodia's cracking tools are used in Superfish and
> Lenovo was in trouble for pre-installing Superfish.
There are network policy/security appliances in the enterprise world,
>> intercepting any outbound connection and terminating the encryption
>> on the proxy. You will need a fake CA certificate with which the
>> proxy is able to create fake server certificates so the client still
>> thinks it is connected to the real server.
>>
>> And here it gets a) dangerous and b) expensive.
> It is extremely bad, bad, bad, as well as dangerous. I haven't been
> following the news in great detail but read all about Komodia's recent
> news articles. Komodia's cracking tools are used in Superfish and
> Lenovo was in trouble for pre-installing Superfish.
which implement a scanning proxy for HTTPS. They come with a either a
wildcard certificate for * (signed by a valid CA!) or a fake CA
certificate, which you install onto your computers to enable the
appliance to function.
This is of course very dangerous if you don't know what you are doing,
but sometimes there are no other options (for example HIPAA, SOX, PCI,
...) if you have to absolutley control the flow and content of data.
But then, if you are in the area where you need such
MitM-Filter-SSL-breaking-proxies, then you already know of how to do it
and when to do it.
If you don't know how to do it and when to do it, chances are, you don't
need it.
Guessing from Michaels TLD, he is German. This means there are several
other things to consider, based on the environment this is done in. If
this is for a company or govermental agency, the Betriebsrat (works
council) or the Personlrat and the local Datenschutzbeauftragter (data
security official) has to be involved.
Grüße,
Sven.
--
Sigmentation fault. Core dumped.
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
linux-m...@abwesend.de
Mar 23, 2015, 4:40:04 AM3/23/15
to
Hello Sven and the other,
thanks for help.
I thought there is a simple and secure way to redirect to an 'This Site has been blocked' Page for HTTP and HTTPS. But when I must destroy the safety from HTTPS this isn't an option.
It is a nice to have feature in my project, so the user can see this site has been blocked and there are no connection troubles (the browser error page).
Greetings,
Michael
Archive: https://lists.debian.org/trinity-16611559-8bb9-4e79-9f61-9b027df65c5b-1427099581524@3capp-gmx-bs01
thanks for help.
I thought there is a simple and secure way to redirect to an 'This Site has been blocked' Page for HTTP and HTTPS. But when I must destroy the safety from HTTPS this isn't an option.
It is a nice to have feature in my project, so the user can see this site has been blocked and there are no connection troubles (the browser error page).
Greetings,
Michael
Liam O'Toole
Mar 23, 2015, 5:20:04 AM3/23/15
to
On 2015-03-23, linux-m...@abwesend.de <linux-m...@abwesend.de>
wrote:
You could simply customise the Squid error page instead. It's just a
static HTML document.
--
Liam
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Archive: https://lists.debian.org/slrnmgvmdm.5bu...@dipsy.tubbynet
wrote:
> Hello Sven and the other,
>
> thanks for help.
>
> I thought there is a simple and secure way to redirect to an 'This
> Site has been blocked' Page for HTTP and HTTPS. But when I must
> destroy the safety from HTTPS this isn't an option.
[SNIP}
>
> thanks for help.
>
> I thought there is a simple and secure way to redirect to an 'This
> Site has been blocked' Page for HTTP and HTTPS. But when I must
> destroy the safety from HTTPS this isn't an option.
You could simply customise the Squid error page instead. It's just a
static HTML document.
--
Liam
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
linux-m...@abwesend.de
Mar 23, 2015, 5:40:03 AM3/23/15
to
Hello Liam,
thanks for the hint, but the error page I get is a browser error page (it's the connection failed error page) and not a squid error page.
--
Michael
Archive: https://lists.debian.org/trinity-f32bc526-85a2-4ecc-8a27-e1eb0753cda2-1427103381216@3capp-gmx-bs69
thanks for the hint, but the error page I get is a browser error page (it's the connection failed error page) and not a squid error page.
--
Michael
Sven Hartge
Mar 23, 2015, 9:10:05 AM3/23/15
to
Liam O'Toole <liam.p...@gmail.com> wrote:
> On 2015-03-23, linux-m...@abwesend.de <linux-m...@abwesend.de>
> wrote:
>> I thought there is a simple and secure way to redirect to an 'This
>> Site has been blocked' Page for HTTP and HTTPS. But when I must
>> destroy the safety from HTTPS this isn't an option.
> [SNIP}
> You could simply customise the Squid error page instead. It's just a
> static HTML document.
Which still won't work with HTTPS.
> wrote:
>> I thought there is a simple and secure way to redirect to an 'This
>> Site has been blocked' Page for HTTP and HTTPS. But when I must
>> destroy the safety from HTTPS this isn't an option.
> [SNIP}
> You could simply customise the Squid error page instead. It's just a
> static HTML document.
Grüße,
Sven.
--
Sigmentation fault. Core dumped.
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Archive: https://lists.debian.org/lbfrnn...@mids.svenhartge.de
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Michael I.
Mar 23, 2015, 6:30:04 PM3/23/15
to
Hello again,
I tested around a bit with squid3+squidguard and I found out that the
redirect works with the Internet Explorer (IE 11).
Then I tested some other browser (firefox, chrome, ..) and with all the
other browser the redirect didn't work.
Is there a bug in the Internet Explorer or is this because the IE handle
https on an other way?
I tested around a bit with squid3+squidguard and I found out that the
redirect works with the Internet Explorer (IE 11).
Then I tested some other browser (firefox, chrome, ..) and with all the
other browser the redirect didn't work.
Is there a bug in the Internet Explorer or is this because the IE handle
https on an other way?
> Liam O'Toole <liam.p...@gmail.com> wrote:
>> On 2015-03-23, linux-m...@abwesend.de <linux-m...@abwesend.de>
>> wrote:
>
>>> I thought there is a simple and secure way to redirect to an 'This
>>> Site has been blocked' Page for HTTP and HTTPS. But when I must
>>> destroy the safety from HTTPS this isn't an option.
>
>> [SNIP}
>
>> You could simply customise the Squid error page instead. It's just a
>> static HTML document.
>
> Which still won't work with HTTPS.
>
> Grüße,
> Sven.
>
--
>> On 2015-03-23, linux-m...@abwesend.de <linux-m...@abwesend.de>
>> wrote:
>
>>> I thought there is a simple and secure way to redirect to an 'This
>>> Site has been blocked' Page for HTTP and HTTPS. But when I must
>>> destroy the safety from HTTPS this isn't an option.
>
>> [SNIP}
>
>> You could simply customise the Squid error page instead. It's just a
>> static HTML document.
>
> Which still won't work with HTTPS.
>
> Grüße,
> Sven.
>
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Archive: https://lists.debian.org/55109358...@abwesend.de
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Sven Hartge
Mar 24, 2015, 6:40:06 AM3/24/15
to
Michael I. <linux-m...@abwesend.de> wrote:
> I tested around a bit with squid3+squidguard and I found out that the
> redirect works with the Internet Explorer (IE 11).
> Then I tested some other browser (firefox, chrome, ..) and with all
> the other browser the redirect didn't work.
> Is there a bug in the Internet Explorer or is this because the IE
> handle https on an other way?
Hard to guess since you never told us exactly what your configuration in
> I tested around a bit with squid3+squidguard and I found out that the
> redirect works with the Internet Explorer (IE 11).
> Then I tested some other browser (firefox, chrome, ..) and with all
> the other browser the redirect didn't work.
> Is there a bug in the Internet Explorer or is this because the IE
> handle https on an other way?
squid3, squidguard and the browser is, what exactly you do to get a
specific result (error page, redirected page, etc.).
Grüße,
Sven.
--
Sigmentation fault. Core dumped.
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Archive: https://lists.debian.org/mbfu3k...@mids.svenhartge.de
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Bob Proulx
Mar 24, 2015, 5:40:07 PM3/24/15
to
Sven Hartge wrote:
cache results. It causes endless confusion with people. The network
wisdom is to test using tools such as wget and curl which don't cache
and look at the headers for verification.
wget -S -O/dev/null https://somesite.example.com/
The command line is preferred because it is a zillion times faster
than exiting the browser and flushing the browser cache manually
before every browser test. It avoids the possibility of a monkey
testing mistake.
> > Is there a bug in the Internet Explorer or is this because the IE
> > handle https on an other way?
>
> Hard to guess since you never told us exactly what your configuration in
> squid3, squidguard and the browser is, what exactly you do to get a
> specific result (error page, redirected page, etc.).
I immediately suspect browser caching a previous redirect since that
has been a problem so many times before.
Bob
> Michael I. wrote:
> > I tested around a bit with squid3+squidguard and I found out that the
> > redirect works with the Internet Explorer (IE 11).
>
> > Then I tested some other browser (firefox, chrome, ..) and with all
> > the other browser the redirect didn't work.
Be careful using browsers to test redirects because browsers strongly
> > I tested around a bit with squid3+squidguard and I found out that the
> > redirect works with the Internet Explorer (IE 11).
>
> > Then I tested some other browser (firefox, chrome, ..) and with all
> > the other browser the redirect didn't work.
cache results. It causes endless confusion with people. The network
wisdom is to test using tools such as wget and curl which don't cache
and look at the headers for verification.
wget -S -O/dev/null https://somesite.example.com/
The command line is preferred because it is a zillion times faster
than exiting the browser and flushing the browser cache manually
before every browser test. It avoids the possibility of a monkey
testing mistake.
> > Is there a bug in the Internet Explorer or is this because the IE
> > handle https on an other way?
>
> Hard to guess since you never told us exactly what your configuration in
> squid3, squidguard and the browser is, what exactly you do to get a
> specific result (error page, redirected page, etc.).
has been a problem so many times before.
Bob
Michael I.
Mar 26, 2015, 7:40:06 AM3/26/15
to
Hello it's me again,
thanks for the hint with wget, this was very useful.
The problem with not redirect https to an errorpage is not solved but
this is okay. It's only a nice to have feature to redirect to an errorpage.
But I have a new problem, I want to have a transparent proxy for http
this works fine but when I add the iptables rule for https the loading
won't work.
With the config now you can bypass the blocking with using https, this
is not so good.
I think it's the same as the other problem I had, squid3 is not able to
read and understand the https traffic unless I break the https protocol.
But when I use the CONNECT method to tunneling the https traffic I
thought I can block the https sites with the transparent proxy.
Here is my iptables rule for https:
> iptables -t nat -A PREROUTING -p TCP --dport 443 -j REDIRECT --to-port 3128
Here is my squid3 config file:
> http_port 3128 intercept
>
> url_rewrite_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf
> url_rewrite_children 2
>
> cache_mem 32 MB
> maximum_object_size 10000 KB
> maximum_object_size_in_memory 32 KB
> cache_replacement_policy heap LFUDA
> memory_replacement_policy heap GDSF
>
> cache_dir aufs /var/spool/squid3 2048 128 1024
>
> acl manager proto cache_object
>
> acl localhost src 127.0.0.1/32
> acl to_localhost dst 127.0.0.0/8
>
> acl net1 src 172.16.1.0/24
> acl net2 src 172.16.2.0/24
> acl net3 src 172.16.3.0/24
>
> acl SSL_PORTS port 443
>
> acl SAFE_PORTS port 21
> acl SAFE_PORTS port 80
> acl SAFE_PORTS port 443
>
> acl CONNECT method CONNECT
>
> http_access allow manager localhost
> http_access deny manager
>
> http_access deny !SAFE_PORTS
> http_access deny CONNECT !SSL_PORTS
>
> http_access allow localhost
> http_access allow net1
> http_access allow net2
> http_access allow net3
> http_access deny all
Thanks for help!
best regards,
Michael
thanks for the hint with wget, this was very useful.
The problem with not redirect https to an errorpage is not solved but
this is okay. It's only a nice to have feature to redirect to an errorpage.
But I have a new problem, I want to have a transparent proxy for http
this works fine but when I add the iptables rule for https the loading
won't work.
With the config now you can bypass the blocking with using https, this
is not so good.
I think it's the same as the other problem I had, squid3 is not able to
read and understand the https traffic unless I break the https protocol.
But when I use the CONNECT method to tunneling the https traffic I
thought I can block the https sites with the transparent proxy.
Here is my iptables rule for https:
> iptables -t nat -A PREROUTING -p TCP --dport 443 -j REDIRECT --to-port 3128
Here is my squid3 config file:
> http_port 3128 intercept
>
> url_rewrite_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf
> url_rewrite_children 2
>
> cache_mem 32 MB
> maximum_object_size 10000 KB
> maximum_object_size_in_memory 32 KB
> cache_replacement_policy heap LFUDA
> memory_replacement_policy heap GDSF
>
> cache_dir aufs /var/spool/squid3 2048 128 1024
>
> acl manager proto cache_object
>
> acl localhost src 127.0.0.1/32
> acl to_localhost dst 127.0.0.0/8
>
> acl net1 src 172.16.1.0/24
> acl net2 src 172.16.2.0/24
> acl net3 src 172.16.3.0/24
>
> acl SSL_PORTS port 443
>
> acl SAFE_PORTS port 21
> acl SAFE_PORTS port 80
> acl SAFE_PORTS port 443
>
> acl CONNECT method CONNECT
>
> http_access allow manager localhost
> http_access deny manager
>
> http_access deny !SAFE_PORTS
> http_access deny CONNECT !SSL_PORTS
>
> http_access allow localhost
> http_access allow net1
> http_access allow net2
> http_access allow net3
> http_access deny all
Thanks for help!
best regards,
Michael
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Archive: https://lists.debian.org/5513EE85...@abwesend.de
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Sven Hartge
Mar 26, 2015, 8:00:05 AM3/26/15
to
Michael I. <linux-m...@abwesend.de> wrote:
> But I have a new problem, I want to have a transparent proxy for http
> this works fine but when I add the iptables rule for https the loading
> won't work.
Of course not. That this is not working is the _whole point_ of any
> But I have a new problem, I want to have a transparent proxy for http
> this works fine but when I add the iptables rule for https the loading
> won't work.
end-to-end encrypted connection.
What you are effectivly trying to do is an Man-in-the-Middle "attack".
You cannot transparently proxy *any* encrypted connection without major
trickery, like I wrote in my first mail. You would need a fake CA
certificate (why this is a _very_ bad idea you just have to look at the
latest CNNIC and MSC debacle: (sorry, German URL)
<https://www.psw-group.de/blog/cnnic-signiert-falsche-google-zertifikate/2112>
or
<http://www.heise.de/security/meldung/Google-deckt-erneut-Missbrauch-im-SSL-Zertifizierungssystem-auf-2583414.html>), and have your proxy terminate the end-to-end encryption by issuing a fake certificate on the fly, so that the client is satisfied and then create another new encrypted connection to the intended end-point.
There _are_ security appliances out there which work in that way but
they are considered _very_ *very* bad practice and should be avoided at
all costs.
Grüße,
Sven.
--
Sigmentation fault. Core dumped.
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Archive: https://lists.debian.org/11bg3g...@mids.svenhartge.de
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Peter Viskup
Mar 26, 2015, 8:30:06 AM3/26/15
to
Hi,
just jumped into SSLBump/Split features some months ago. I don't find these features harmful. Especially when protecting your children from access of YouTube or other possibly harmful sites. Once you are logged with Google account they redirect your communication to https which makes the inspection not possible. The Squid's SSLBump/Split (whose name in latest version SslPeekAndSplice) is the only feature which will make the inspection happen. This means there are still some cases where this feature is very helpful and the only one freely available.--
Peter Viskup
Reco
Mar 26, 2015, 9:00:04 AM3/26/15
to
Hi.
On Thu, 26 Mar 2015 13:21:57 +0100
Peter Viskup <skup...@gmail.com> wrote:
> Hi,
> just jumped into SSLBump/Split features some months ago. I don't find these
> features harmful. Especially when protecting your children from access of
> YouTube or other possibly harmful sites. Once you are logged with Google
> account they redirect your communication to https which makes the
> inspection not possible. The Squid's SSLBump/Split (whose name in latest
> version SslPeekAndSplice) is the only feature which will make the
> inspection happen. This means there are still some cases where this feature
> is very helpful and the only one freely available.
If you're considering that spying on your own children is a good idea -
I don't even know what to say. They solve such problems here by
educating children, not limiting their internet access. Besides, if a
child would really want to bypass such access control - he or she will
find a way sooner or later (hint - a cellphone, for instance).
The only good usage of SSL Bump in my book is reverse-engineering
certain proprietary applications.
Recp
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Archive: https://lists.debian.org/20150326155150.2469...@gmail.com
On Thu, 26 Mar 2015 13:21:57 +0100
Peter Viskup <skup...@gmail.com> wrote:
> Hi,
> just jumped into SSLBump/Split features some months ago. I don't find these
> features harmful. Especially when protecting your children from access of
> YouTube or other possibly harmful sites. Once you are logged with Google
> account they redirect your communication to https which makes the
> inspection not possible. The Squid's SSLBump/Split (whose name in latest
> version SslPeekAndSplice) is the only feature which will make the
> inspection happen. This means there are still some cases where this feature
> is very helpful and the only one freely available.
I don't even know what to say. They solve such problems here by
educating children, not limiting their internet access. Besides, if a
child would really want to bypass such access control - he or she will
find a way sooner or later (hint - a cellphone, for instance).
The only good usage of SSL Bump in my book is reverse-engineering
certain proprietary applications.
Recp
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Michael I.
Mar 26, 2015, 9:10:03 AM3/26/15
to
Sven Hartge <sv...@svenhartge.de> wrote:
> Michael I. <linux-m...@abwesend.de> wrote:
>
>> But I have a new problem, I want to have a transparent proxy for http
>> this works fine but when I add the iptables rule for https the loading
>> won't work.
>
> Of course not. That this is not working is the _whole point_ of any
> end-to-end encrypted connection.
>
> What you are effectivly trying to do is an Man-in-the-Middle "attack".
>
All I want is to protect children of harmful content (adult content).
> Michael I. <linux-m...@abwesend.de> wrote:
>
>> But I have a new problem, I want to have a transparent proxy for http
>> this works fine but when I add the iptables rule for https the loading
>> won't work.
>
> Of course not. That this is not working is the _whole point_ of any
> end-to-end encrypted connection.
>
> What you are effectivly trying to do is an Man-in-the-Middle "attack".
>
> You cannot transparently proxy *any* encrypted connection without major
> trickery, like I wrote in my first mail. You would need a fake CA
> certificate (why this is a _very_ bad idea you just have to look at the
> latest CNNIC and MSC debacle: (sorry, German URL)
> <https://www.psw-group.de/blog/cnnic-signiert-falsche-google-zertifikate/2112>
> or
> <http://www.heise.de/security/meldung/Google-deckt-erneut-Missbrauch-im-SSL-Zertifizierungssystem-auf-2583414.html>), and have your proxy terminate the end-to-end encryption by issuing a fake certificate on the fly, so that the client is satisfied and then create another new encrypted connection to the intended end-point.
>
> There _are_ security appliances out there which work in that way but
> they are considered _very_ *very* bad practice and should be avoided at
> all costs.
>
Is there any other way to block those sites? Maybe block the IPs in the
firewall, but I think this is a big hassle?
> Grüße,
> Sven.
>
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Archive: https://lists.debian.org/551403F7...@abwesend.de
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Sascha Steinmann (adremes GmbH & Co KG)
Mar 26, 2015, 9:30:05 AM3/26/15
to
I agree 100% with Reco.
Don't use technical Stuff to protect your children.
Learn them to use their Brain, to protect their self.
It's the most important thing, when u sit in front of a Computer.
When u want to block adult content u have to block 80% of the entire visible web.
And you will spend your evenings to make your blacklists up2date.
Greetings
Sascha
-----Ursprüngliche Nachricht-----
Von: Reco [mailto:recov...@gmail.com]
Gesendet: Donnerstag, 26. März 2015 13:52
An: debia...@lists.debian.org
Betreff: Re: Redirect HTTPS with Squid3+Squidguard
Archive: https://lists.debian.org/F6DA57C02758BB41BF46...@EX10MBOX1E.hosting.inetserver.de
Don't use technical Stuff to protect your children.
Learn them to use their Brain, to protect their self.
It's the most important thing, when u sit in front of a Computer.
When u want to block adult content u have to block 80% of the entire visible web.
And you will spend your evenings to make your blacklists up2date.
Greetings
Sascha
-----Ursprüngliche Nachricht-----
Von: Reco [mailto:recov...@gmail.com]
Gesendet: Donnerstag, 26. März 2015 13:52
An: debia...@lists.debian.org
Betreff: Re: Redirect HTTPS with Squid3+Squidguard
Peter Viskup
Mar 26, 2015, 9:30:05 AM3/26/15
to
It's the way you look at.
For me it's about prevention...your child can click on some link somewhere and see some pictures/videos which will remain in his/her mind (let's say) forever and can harm even if it was only seconds they were seen...I am speaking about children less than 15 years old...and even older children needs protection.
For me it's about prevention...your child can click on some link somewhere and see some pictures/videos which will remain in his/her mind (let's say) forever and can harm even if it was only seconds they were seen...I am speaking about children less than 15 years old...and even older children needs protection.
Peter Viskup
Mar 26, 2015, 9:30:06 AM3/26/15
to
Without the SSL splitting the only option is to install some software on the client side. Some "endpoint" security software doing the inspection of the web data transfers on the fly before they pass the TLS tunnel. It's the same like SSL split on Squid, but let's say more transparent. Unfortunately I don't know any such software for Linux - all of those I know are for Windows as this OS has API for that "spying".
Can mention two for all of them:- Kaspersky Internet Security
[1] www.untangle.com
--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Archive: https://lists.debian.org/551403F7...@abwesend.de
Sven Hartge
Mar 26, 2015, 9:40:03 AM3/26/15
to
Michael I. <linux-m...@abwesend.de> wrote:
> Sven Hartge <sv...@svenhartge.de> wrote:
>> Michael I. <linux-m...@abwesend.de> wrote:
>>> But I have a new problem, I want to have a transparent proxy for
>>> http this works fine but when I add the iptables rule for https the
>>> loading won't work.
>>
>> Of course not. That this is not working is the _whole point_ of any
>> end-to-end encrypted connection.
>>
>> What you are effectivly trying to do is an Man-in-the-Middle
>> "attack".
> All I want is to protect children of harmful content (adult content).
You have already lost. If you build walls around content you don't like,
> Sven Hartge <sv...@svenhartge.de> wrote:
>> Michael I. <linux-m...@abwesend.de> wrote:
>>> But I have a new problem, I want to have a transparent proxy for
>>> http this works fine but when I add the iptables rule for https the
>>> loading won't work.
>>
>> Of course not. That this is not working is the _whole point_ of any
>> end-to-end encrypted connection.
>>
>> What you are effectivly trying to do is an Man-in-the-Middle
>> "attack".
> All I want is to protect children of harmful content (adult content).
your children _will_ find ways of accessing it some other way. Besides,
all younger children (younger than 12/14 years) I observed surfing the web
don't have any direct interest in "nudity" anyway. And if they stumble
upon such an image the reaction was "eww, gross" and a quick click on
the "Back"-button. And older children, after starting puberty, already
had several access methods for "recreational pictures", mostly through
friends.
There is no way of protecting your children by technical means without
going down a rabbit hole of problems and inconveniences.
Educate them, supervise them. There is no other way.
By building a "STOP sign" in front of things you only heighten the
curiosity.
If your children are too young, they shouldn't use the Internet without
a parent (or other trusted person) present anyway.
If they are old enough, you have to learn to trust them and exersice
other disciplinary consequences if they do things they should not do.
Grüße,
Sven.
--
Sigmentation fault. Core dumped.
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Archive: https://lists.debian.org/12bg3m...@mids.svenhartge.de
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Sven Hartge
Mar 26, 2015, 9:50:04 AM3/26/15
to
Peter Viskup <skup...@gmail.com> wrote:
> It's the way you look at. For me it's about prevention...your child
> can click on some link somewhere and see some pictures/videos which
> will remain in his/her mind (let's say) forever and can harm even if
> it was only seconds they were seen...I am speaking about children less
> than 15 years old...and even older children needs protection.
"[citation needed]". I don't know where this came from, but this is a
> It's the way you look at. For me it's about prevention...your child
> can click on some link somewhere and see some pictures/videos which
> will remain in his/her mind (let's say) forever and can harm even if
> it was only seconds they were seen...I am speaking about children less
> than 15 years old...and even older children needs protection.
phrase I hear and read very often: "Oh, a picture of a nude woman will
cause harm to my child."
Younger children don't understand "nudity" and the badness, associated
with it by the adult world and its social norms.
Older children, after hitting puberty, are of course interested in such
stuff, because this belongs to the process of growing up. But there is
no technical way of shielding a curious 15-year old from finding nude
pictures on the web without switching network access off as a whole.
Grüße,
Sven.
--
Sigmentation fault. Core dumped.
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Archive: https://lists.debian.org/13bg3m...@mids.svenhartge.de
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
John Hasler
Mar 26, 2015, 10:00:04 AM3/26/15
to
Why don't you just get rid of the computers?
--
John Hasler
jha...@newsguy.com
Elmwood, WI USA
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Archive: https://lists.debian.org/87y4mjs...@thumper.dhh.gt.org
--
John Hasler
jha...@newsguy.com
Elmwood, WI USA
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Reco
Mar 26, 2015, 11:20:05 AM3/26/15
to
Hi.
On Thu, 26 Mar 2015 14:29:08 +0100
Peter Viskup <skup...@gmail.com> wrote:
> It's the way you look at.
> For me it's about prevention...your child can click on some link somewhere
> and see some pictures/videos which will remain in his/her mind (let's say)
> forever and can harm even if it was only seconds they were seen...I am
> speaking about children less than 15 years old...and even older children
> needs protection.
And just as well child can see a naughty picture on TV. Or a phone ad.
Or a magazine/newspaper. Anywhere, once you start thinking about it.
Whatever damage is done depends on child's state of mind, which is
influenced by his/her prior education. Which, for the most part, should
be (IMO) provided by parents first, and society (friends, school,
whatever) - second.
And internet censorship is not a substitute of education. The only
thing that censorship can teach is how to workaround it. Or that one's
parents are complete <insert_some_profanity_here>. Is that how you want
your children to perceive you?
Besides, what's up with this 15 years mark? Why 14 is too early, and 16
is too old? For example, puberty is considered starting at 12 where I
live, full civil rights are granted at 18.
Reco
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Archive: https://lists.debian.org/20150326181312.f08a...@gmail.com
On Thu, 26 Mar 2015 14:29:08 +0100
Peter Viskup <skup...@gmail.com> wrote:
> It's the way you look at.
> For me it's about prevention...your child can click on some link somewhere
> and see some pictures/videos which will remain in his/her mind (let's say)
> forever and can harm even if it was only seconds they were seen...I am
> speaking about children less than 15 years old...and even older children
> needs protection.
Or a magazine/newspaper. Anywhere, once you start thinking about it.
Whatever damage is done depends on child's state of mind, which is
influenced by his/her prior education. Which, for the most part, should
be (IMO) provided by parents first, and society (friends, school,
whatever) - second.
And internet censorship is not a substitute of education. The only
thing that censorship can teach is how to workaround it. Or that one's
parents are complete <insert_some_profanity_here>. Is that how you want
your children to perceive you?
Besides, what's up with this 15 years mark? Why 14 is too early, and 16
is too old? For example, puberty is considered starting at 12 where I
live, full civil rights are granted at 18.
Reco
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Peter Viskup
Mar 26, 2015, 11:50:04 AM3/26/15
to
Hello Reco,
And just as well child can see a naughty picture on TV. Or a phone ad.
Or a magazine/newspaper. Anywhere, once you start thinking about it.
And that's just sad, disturbingly and one of the main reasons of so many people facing porn addiction.
Whatever damage is done depends on child's state of mind, which is
influenced by his/her prior education. Which, for the most part, should
be (IMO) provided by parents first, and society (friends, school,
whatever) - second.
First would recommend you to read something about the psychology of children.
And internet censorship is not a substitute of education. The only
thing that censorship can teach is how to workaround it. Or that one's
parents are complete <insert_some_profanity_here>. Is that how you want
your children to perceive you?
From this point of view all aspects of parenting are censorship. It's not about the government internet censorship - differentiate between parenting and freedom protection and well - I didn't tell the education is not needed.
Besides, what's up with this 15 years mark?
Just as an example - no other meaning, everybody can choose its own number. ;-)
My last sentence to this thread - read "The Little Prince" a lot and once you will understand what's all this about probably and then you will be ready for reading Citadelle. Yes - I know - too much pathetic for somebody...
Reco
Mar 26, 2015, 12:50:04 PM3/26/15
to
Hi.
On Thu, 26 Mar 2015 16:48:00 +0100
Peter Viskup <skup...@gmail.com> wrote:
> Hello Reco,
>
> On Thu, Mar 26, 2015 at 4:13 PM, Reco <recov...@gmail.com> wrote:
>
> > Hi.
> > And just as well child can see a naughty picture on TV. Or a phone ad.
> > Or a magazine/newspaper. Anywhere, once you start thinking about it.
> >
>
> And that's just sad, disturbingly and one of the main reasons of so many
> people facing porn addiction.
No. The only possibly depressing thing about it are the ones who abuse
basic human instincts to sell goods. Or rather the fact that said ones
do not face consequences of their actions. Whenever an arbitrary picture
is a 'porn' or not is in the eye of the beholder.
> Whatever damage is done depends on child's state of mind, which is
> > influenced by his/her prior education. Which, for the most part, should
> > be (IMO) provided by parents first, and society (friends, school,
> > whatever) - second.
> >
>
> First would recommend you to read something about the psychology of
> children.
I have two children, so I speak from my own experience with them. Now,
how many children do you have?
> And internet censorship is not a substitute of education. The only
> > thing that censorship can teach is how to workaround it. Or that one's
> > parents are complete <insert_some_profanity_here>. Is that how you want
> > your children to perceive you?
> >
>
> From this point of view all aspects of parenting are censorship. It's not
> about the government internet censorship - differentiate between parenting
> and freedom protection and well - I didn't tell the education is not needed.
No, this is there you've got it wrong. It's one thing if parent
explicitly forbids child to do something as it implies human
interaction. It's another thing if parent relies on some inanimate
object (say, Squid proxy server) to force an arbitrary restriction.
And forcing the child to accept surveillance or censorship in such
early age may cause an actual damage as in turn it may cause child to
accept surveillance or censorship (provided by government or
employer) as a normal thing in the future.
Of course, there're worse things that can be done with children, such as
introducing them to the social networks ;)
> > Besides, what's up with this 15 years mark?
> >
>
> Just as an example - no other meaning, everybody can choose its own number.
> ;-)
Last time they choose a number in China - they build The Great Chineese
Firewall for everyone.
Every time they choose a number on a Middle East - they usually ban
everything short of a couple of 'approved' sites.
Last time they choose a number in England they effectively banned 3/4
of Internet. Unless you opt out and mark yourself as a CP consumer, or
so I heard.
On a bright side of things, last time they choose a number in Russia -
a number had choosen them :)
So, careful with the numbers, as they carry power.
> My last sentence to this thread - read "The Little Prince" a lot and once
> you will understand what's all this about probably and then you will be
> ready for reading Citadelle. Yes - I know - too much pathetic for
> somebody...
Read first one about 20 years ago as a part of my school education
actually. I don't feel the need to re-read it yet.
I don't recall reading a second one though.
But, in return I'd like to recommend reading '1984' novel by George
Orwell.
Reco
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Archive: https://lists.debian.org/20150326194704.0e5b...@gmail.com
On Thu, 26 Mar 2015 16:48:00 +0100
Peter Viskup <skup...@gmail.com> wrote:
> Hello Reco,
>
> On Thu, Mar 26, 2015 at 4:13 PM, Reco <recov...@gmail.com> wrote:
>
> > Hi.
> > And just as well child can see a naughty picture on TV. Or a phone ad.
> > Or a magazine/newspaper. Anywhere, once you start thinking about it.
> >
>
> And that's just sad, disturbingly and one of the main reasons of so many
> people facing porn addiction.
basic human instincts to sell goods. Or rather the fact that said ones
do not face consequences of their actions. Whenever an arbitrary picture
is a 'porn' or not is in the eye of the beholder.
> Whatever damage is done depends on child's state of mind, which is
> > influenced by his/her prior education. Which, for the most part, should
> > be (IMO) provided by parents first, and society (friends, school,
> > whatever) - second.
> >
>
> First would recommend you to read something about the psychology of
> children.
how many children do you have?
> And internet censorship is not a substitute of education. The only
> > thing that censorship can teach is how to workaround it. Or that one's
> > parents are complete <insert_some_profanity_here>. Is that how you want
> > your children to perceive you?
> >
>
> From this point of view all aspects of parenting are censorship. It's not
> about the government internet censorship - differentiate between parenting
> and freedom protection and well - I didn't tell the education is not needed.
explicitly forbids child to do something as it implies human
interaction. It's another thing if parent relies on some inanimate
object (say, Squid proxy server) to force an arbitrary restriction.
And forcing the child to accept surveillance or censorship in such
early age may cause an actual damage as in turn it may cause child to
accept surveillance or censorship (provided by government or
employer) as a normal thing in the future.
Of course, there're worse things that can be done with children, such as
introducing them to the social networks ;)
> > Besides, what's up with this 15 years mark?
> >
>
> Just as an example - no other meaning, everybody can choose its own number.
> ;-)
Firewall for everyone.
Every time they choose a number on a Middle East - they usually ban
everything short of a couple of 'approved' sites.
Last time they choose a number in England they effectively banned 3/4
of Internet. Unless you opt out and mark yourself as a CP consumer, or
so I heard.
On a bright side of things, last time they choose a number in Russia -
a number had choosen them :)
So, careful with the numbers, as they carry power.
> My last sentence to this thread - read "The Little Prince" a lot and once
> you will understand what's all this about probably and then you will be
> ready for reading Citadelle. Yes - I know - too much pathetic for
> somebody...
actually. I don't feel the need to re-read it yet.
I don't recall reading a second one though.
But, in return I'd like to recommend reading '1984' novel by George
Orwell.
Reco
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Michael I.
Mar 26, 2015, 1:10:04 PM3/26/15
to
Sven Hartge <sv...@svenhartge.de> wrote:> Michael I.
<linux-m...@abwesend.de> wrote:
>> Sven Hartge <sv...@svenhartge.de> wrote:
>>> Michael I. <linux-m...@abwesend.de> wrote:
>
>>>> But I have a new problem, I want to have a transparent proxy for
>>>> http this works fine but when I add the iptables rule for https the
>>>> loading won't work.
>>>
>>> Of course not. That this is not working is the _whole point_ of any
>>> end-to-end encrypted connection.
>>>
>>> What you are effectivly trying to do is an Man-in-the-Middle
>>> "attack".
>
>> All I want is to protect children of harmful content (adult content).
>
> You have already lost. If you build walls around content you don't like,
> your children _will_ find ways of accessing it some other way. Besides,
> all younger children (younger than 12/14 years) I observed surfing the web
> don't have any direct interest in "nudity" anyway. And if they stumble
> upon such an image the reaction was "eww, gross" and a quick click on
> the "Back"-button. And older children, after starting puberty, already
> had several access methods for "recreational pictures", mostly through
> friends.
>
This are not my children, the filter is used for a school.
<linux-m...@abwesend.de> wrote:
>> Sven Hartge <sv...@svenhartge.de> wrote:
>>> Michael I. <linux-m...@abwesend.de> wrote:
>
>>>> But I have a new problem, I want to have a transparent proxy for
>>>> http this works fine but when I add the iptables rule for https the
>>>> loading won't work.
>>>
>>> Of course not. That this is not working is the _whole point_ of any
>>> end-to-end encrypted connection.
>>>
>>> What you are effectivly trying to do is an Man-in-the-Middle
>>> "attack".
>
>> All I want is to protect children of harmful content (adult content).
>
> You have already lost. If you build walls around content you don't like,
> your children _will_ find ways of accessing it some other way. Besides,
> all younger children (younger than 12/14 years) I observed surfing the web
> don't have any direct interest in "nudity" anyway. And if they stumble
> upon such an image the reaction was "eww, gross" and a quick click on
> the "Back"-button. And older children, after starting puberty, already
> had several access methods for "recreational pictures", mostly through
> friends.
>
The filter is used for prevention. I am totally on your side, children
at home need trust but in school the teacher can't look on all computers.
So I need a filter, the filter mustn't block all adult content, but when
I block 70% of all the adult content this is better as nothing.
> There is no way of protecting your children by technical means without
> going down a rabbit hole of problems and inconveniences.
>
> Educate them, supervise them. There is no other way.
>
> By building a "STOP sign" in front of things you only heighten the
> curiosity.
>
> If your children are too young, they shouldn't use the Internet without
> a parent (or other trusted person) present anyway.
>
> If they are old enough, you have to learn to trust them and exersice
> other disciplinary consequences if they do things they should not do.
>
> Grüße,
> Sven.
>
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Archive: https://lists.debian.org/55143C62...@abwesend.de
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Michael I.
Mar 26, 2015, 1:20:05 PM3/26/15
to
Hello,
for private usage I am think a filter isn't good, children need trust
and a filter is the opposite of trust.
But in usage for a school I think a filter is better, a teacher can't
look on all computers. The kids are trying out thinks in school which is
good but when nobody is there to explain the things that they are see,
this isn't good. My target isn't to block all adult content, but when I
block 60% of all adult content this is still better as nothing.
Greetings,
Michael
Archive: https://lists.debian.org/55143F60...@abwesend.de
for private usage I am think a filter isn't good, children need trust
and a filter is the opposite of trust.
But in usage for a school I think a filter is better, a teacher can't
look on all computers. The kids are trying out thinks in school which is
good but when nobody is there to explain the things that they are see,
this isn't good. My target isn't to block all adult content, but when I
block 60% of all adult content this is still better as nothing.
Greetings,
Michael
Dan Purgert
Mar 26, 2015, 1:30:05 PM3/26/15
to
On Thu, 26 Mar 2015 08:49:37 -0500, John Hasler wrote:
> Why don't you just get rid of the computers?
I tried that route one time ... got looked at like I had 7 heads for even
> Why don't you just get rid of the computers?
suggesting that the kids go back to "textbooks and paper".
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Sven Hartge
Mar 26, 2015, 1:30:05 PM3/26/15
to
Michael I. <linux-m...@abwesend.de> wrote:
> This are not my children, the filter is used for a school.
Aha, important information.
> This are not my children, the filter is used for a school.
Do not proceed any further with breaking encrypted connections or, for
the matter, transparently proxiing _any_ connections until you had a
talk with a) the Justitiar and b) the Datenschutz- und
Datensicherheitsbeauftragten responsible for your school.
You may already be in trouble if you did not announce what you are
doing. You really really need to talk to those two people before taking
any further steps.
Grüße,
Sven.
--
Sigmentation fault. Core dumped.
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Archive: https://lists.debian.org/14bg43...@mids.svenhartge.de
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Reco
Mar 26, 2015, 2:20:06 PM3/26/15
to
Hi.
On Thu, 26 Mar 2015 18:18:24 +0100
"Michael I." <linux-m...@abwesend.de> wrote:
> Hello,
>
> for private usage I am think a filter isn't good, children need trust
> and a filter is the opposite of trust.
>
> But in usage for a school I think a filter is better, a teacher can't
> look on all computers. The kids are trying out thinks in school which is
> good but when nobody is there to explain the things that they are see,
> this isn't good. My target isn't to block all adult content, but when I
> block 60% of all adult content this is still better as nothing.
Then it's even worse that I thought. I don't know about Germany, but
where I live tampering with public communications is considered a
criminal offense. I strongly suggest you to seek a legal advice before
doing anything like SSL bump.
Reco
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Archive: https://lists.debian.org/20150326211809.aad7...@gmail.com
On Thu, 26 Mar 2015 18:18:24 +0100
"Michael I." <linux-m...@abwesend.de> wrote:
> Hello,
>
> for private usage I am think a filter isn't good, children need trust
> and a filter is the opposite of trust.
>
> But in usage for a school I think a filter is better, a teacher can't
> look on all computers. The kids are trying out thinks in school which is
> good but when nobody is there to explain the things that they are see,
> this isn't good. My target isn't to block all adult content, but when I
> block 60% of all adult content this is still better as nothing.
where I live tampering with public communications is considered a
criminal offense. I strongly suggest you to seek a legal advice before
doing anything like SSL bump.
Reco
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Sven Hartge
Mar 26, 2015, 2:30:07 PM3/26/15
to
Reco <recov...@gmail.com> wrote:
> On Thu, 26 Mar 2015 18:18:24 +0100 "Michael I." <linux-m...@abwesend.de> wrote:
>> for private usage I am think a filter isn't good, children need trust
>> and a filter is the opposite of trust.
>>
>> But in usage for a school I think a filter is better, a teacher can't
>> look on all computers. The kids are trying out thinks in school which
>> is good but when nobody is there to explain the things that they are
>> see, this isn't good. My target isn't to block all adult content, but
>> when I block 60% of all adult content this is still better as
>> nothing.
> Then it's even worse that I thought. I don't know about Germany, but
> where I live tampering with public communications is considered a
> criminal offense. I strongly suggest you to seek a legal advice before
> doing anything like SSL bump.
It is not very different for Germany either.
> On Thu, 26 Mar 2015 18:18:24 +0100 "Michael I." <linux-m...@abwesend.de> wrote:
>> for private usage I am think a filter isn't good, children need trust
>> and a filter is the opposite of trust.
>>
>> But in usage for a school I think a filter is better, a teacher can't
>> look on all computers. The kids are trying out thinks in school which
>> is good but when nobody is there to explain the things that they are
>> see, this isn't good. My target isn't to block all adult content, but
>> when I block 60% of all adult content this is still better as
>> nothing.
> Then it's even worse that I thought. I don't know about Germany, but
> where I live tampering with public communications is considered a
> criminal offense. I strongly suggest you to seek a legal advice before
> doing anything like SSL bump.
I moved the lawyery bits to private mail because I don't want to bore
the list to death with it and talking about rules and regulations is
easier in the native tongue ;)
Grüße,
Sven.
--
Sigmentation fault. Core dumped.
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Archive: https://lists.debian.org/15bg47...@mids.svenhartge.de
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
rog...@queernet.org
Mar 26, 2015, 3:50:04 PM3/26/15
to
On 3/26/15 12:42 PM, Michael Graham wrote:
> seem to be pretty common in the US and the UK.
>
I bet your proxy firewall does it too.
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Archive: https://lists.debian.org/5514618B...@queernet.org
> On 26 March 2015 at 14:18, Reco <recov...@gmail.com> wrote:
>> Then it's even worse that I thought. I don't know about Germany, but
>> where I live tampering with public communications is considered a
>> criminal offense. I strongly suggest you to seek a legal advice before
>> doing anything like SSL bump.
> Just out of curiosity where do you live? As MITM proxies in school/business
>> Then it's even worse that I thought. I don't know about Germany, but
>> where I live tampering with public communications is considered a
>> criminal offense. I strongly suggest you to seek a legal advice before
>> doing anything like SSL bump.
> seem to be pretty common in the US and the UK.
>
I bet your proxy firewall does it too.
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Michael Graham
Mar 26, 2015, 3:50:04 PM3/26/15
to
On 26 March 2015 at 14:18, Reco <recov...@gmail.com> wrote:
> Then it's even worse that I thought. I don't know about Germany, but
> where I live tampering with public communications is considered a
> criminal offense. I strongly suggest you to seek a legal advice before
> doing anything like SSL bump.
> where I live tampering with public communications is considered a
> criminal offense. I strongly suggest you to seek a legal advice before
> doing anything like SSL bump.
Just out of curiosity where do you live? As MITM proxies in school/business
seem to be pretty common in the US and the UK.
Cheers,
seem to be pretty common in the US and the UK.
--
Michael Graham <oobe...@gmail.com>
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Reco
Mar 26, 2015, 5:20:05 PM3/26/15
to
Hi.
On Thu, 26 Mar 2015 12:44:11 -0700
rog...@queernet.org wrote:
> On 3/26/15 12:42 PM, Michael Graham wrote:
> > On 26 March 2015 at 14:18, Reco <recov...@gmail.com> wrote:
> >> Then it's even worse that I thought. I don't know about Germany, but
> >> where I live tampering with public communications is considered a
> >> criminal offense. I strongly suggest you to seek a legal advice before
> >> doing anything like SSL bump.
> > Just out of curiosity where do you live? As MITM proxies in school/business
> > seem to be pretty common in the US and the UK.
> >
>
> I bet your proxy firewall does it too.
Ow. Exactly which kind of consumer-grade hardware comes with SSL bump
preinstalled? That's very interesting to me as I like know which
hardware to avoid in the future.
Reco
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Archive: https://lists.debian.org/20150327001748.eaa7...@gmail.com
On Thu, 26 Mar 2015 12:44:11 -0700
rog...@queernet.org wrote:
> On 3/26/15 12:42 PM, Michael Graham wrote:
> > On 26 March 2015 at 14:18, Reco <recov...@gmail.com> wrote:
> >> Then it's even worse that I thought. I don't know about Germany, but
> >> where I live tampering with public communications is considered a
> >> criminal offense. I strongly suggest you to seek a legal advice before
> >> doing anything like SSL bump.
> > Just out of curiosity where do you live? As MITM proxies in school/business
> > seem to be pretty common in the US and the UK.
> >
>
> I bet your proxy firewall does it too.
preinstalled? That's very interesting to me as I like know which
hardware to avoid in the future.
Reco
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Bob Proulx
Mar 26, 2015, 6:00:05 PM3/26/15
to
rog...@queernet.org wrote:
about https here not http. And even then I don't know of any consumer
grade firewalls that configure an http proxy by default. Those tend
to only be in industrial grade systems for larger sites for bigger
companies and campuses. I bet you are thinking of those http proxies.
In regards to this when I am setting up a web form I always set up the
form using https now. I have too many times had to deal with broken
company proxies that mangled http POST data. I could name names but I
would be violating confidentiality agreements. I saw one that was so
broken with mangled POST data that I couldn't believe it was working
for anyone for anything. Wow it was bad. Not to mention the normal
mundane problems routinely seen of stale cached pages and so forth
that everyone runs into sometime.
Having been hurt before I now only use https for any web form entry
even trivial stuff not needing security or privacy. I now use https
specifically to avoid broken http proxies in between user and server.
So far I haven't yet run into anyone with a fake CA MITM proxy in
between yet. But I am sure it will happen eventually.
Bob
> Michael Graham wrote:
> > As MITM proxies in school/business seem to be pretty common in the
> > US and the UK.
>
> I bet your proxy firewall does it too.
I bet not! I think you are confusing https with http. We are talking
> > As MITM proxies in school/business seem to be pretty common in the
> > US and the UK.
>
> I bet your proxy firewall does it too.
about https here not http. And even then I don't know of any consumer
grade firewalls that configure an http proxy by default. Those tend
to only be in industrial grade systems for larger sites for bigger
companies and campuses. I bet you are thinking of those http proxies.
In regards to this when I am setting up a web form I always set up the
form using https now. I have too many times had to deal with broken
company proxies that mangled http POST data. I could name names but I
would be violating confidentiality agreements. I saw one that was so
broken with mangled POST data that I couldn't believe it was working
for anyone for anything. Wow it was bad. Not to mention the normal
mundane problems routinely seen of stale cached pages and so forth
that everyone runs into sometime.
Having been hurt before I now only use https for any web form entry
even trivial stuff not needing security or privacy. I now use https
specifically to avoid broken http proxies in between user and server.
So far I haven't yet run into anyone with a fake CA MITM proxy in
between yet. But I am sure it will happen eventually.
Bob
Michael Graham
Mar 26, 2015, 7:40:09 PM3/26/15
to
On Thu, 26 Mar 2015 17:18 Reco <recov...@gmail.com> wrote:
>
> Hi.
>
> On Thu, 26 Mar 2015 12:44:11 -0700
> rog...@queernet.org wrote:
>
> > On 3/26/15 12:42 PM, Michael Graham wrote:
> > > On 26 March 2015 at 14:18, Reco <recov...@gmail.com> wrote:
> > >> Then it's even worse that I thought. I don't know about Germany, but
> > >> where I live tampering with public communications is considered a
> > >> criminal offense. I strongly suggest you to seek a legal advice before
> > >> doing anything like SSL bump.
> > > Just out of curiosity where do you live? As MITM proxies in school/business
> > > seem to be pretty common in the US and the UK.
> > >
> >
> > I bet your proxy firewall does it too.
>
> Ow. Exactly which kind of consumer-grade hardware comes with SSL bump
> preinstalled? That's very interesting to me as I like know which
> hardware to avoid in the future.
It's way more common than you seem to think. CERT recently did a blog post about it and it contains a list of both hardware vendors (like Bloxx and bluecoat) as well as commercial and free software.
http://www.cert.org/blogs/certcc/post.cfm?EntryID=221
Basically if you're selling a web filter or similar security device, you let admins bump SSL.
Given how easy it is for those same admins to push the fake SSL CAs out over active directory group policy it's pretty much transparent to most naive users who don't understand the difference between https and http never mind trying to explain a MITM proxy with a fake root CA!
Cheers,
Bob Proulx
Mar 26, 2015, 8:40:04 PM3/26/15
to
Michael Graham wrote:
inspection. No one is saying otherwise. That wasn't the question.
But are any of those commonly used consumer devices?
If someone walks into Fries or Best Buy and spends less than $100 for
a home firewall router such as a Linksys, Netgear, D-Link then I doubt
it is going to crack open SSL. I doubt they do because doing so would
require additional CAs to be installed on user's tablets and other
systems downstream and that requires too much support and
hand-holding.
Most users would be immediately confused, would consider the device
broken, would return it without ever knowing that were making the
right decision of avoiding it but without ever understanding the
details. Therefore consumer devices aren't going to go there.
> Given how easy it is for those same admins to push the fake SSL CAs out
> over active directory group policy it's pretty much transparent to most
> naive users who don't understand the difference between https and http
> never mind trying to explain a MITM proxy with a fake root CA!
Agreed in the corporate environments. They have control over the
users equipment. They often require and issue employees with company
laptops. For that type of environment they can do anything.
The warning is clear. Don't use your company laptop for your non-work
anything. It isn't secure. Use your own computer, laptop, tablet,
phone for your banking and anything that needs security.
Bob
> Reco wrote:
> > Ow. Exactly which kind of consumer-grade hardware comes with SSL bump
> > preinstalled? That's very interesting to me as I like know which
> > hardware to avoid in the future.
>
> It's way more common than you seem to think. CERT recently did a blog post
> about it and it contains a list of both hardware vendors (like Bloxx and
> bluecoat) as well as commercial and free software.
>
> http://www.cert.org/blogs/certcc/post.cfm?EntryID=221
>
> Basically if you're selling a web filter or similar security device, you
> let admins bump SSL.
There are certainly many products that one can buy that do SSL
> > Ow. Exactly which kind of consumer-grade hardware comes with SSL bump
> > preinstalled? That's very interesting to me as I like know which
> > hardware to avoid in the future.
>
> It's way more common than you seem to think. CERT recently did a blog post
> about it and it contains a list of both hardware vendors (like Bloxx and
> bluecoat) as well as commercial and free software.
>
> http://www.cert.org/blogs/certcc/post.cfm?EntryID=221
>
> Basically if you're selling a web filter or similar security device, you
> let admins bump SSL.
inspection. No one is saying otherwise. That wasn't the question.
But are any of those commonly used consumer devices?
If someone walks into Fries or Best Buy and spends less than $100 for
a home firewall router such as a Linksys, Netgear, D-Link then I doubt
it is going to crack open SSL. I doubt they do because doing so would
require additional CAs to be installed on user's tablets and other
systems downstream and that requires too much support and
hand-holding.
Most users would be immediately confused, would consider the device
broken, would return it without ever knowing that were making the
right decision of avoiding it but without ever understanding the
details. Therefore consumer devices aren't going to go there.
> Given how easy it is for those same admins to push the fake SSL CAs out
> over active directory group policy it's pretty much transparent to most
> naive users who don't understand the difference between https and http
> never mind trying to explain a MITM proxy with a fake root CA!
users equipment. They often require and issue employees with company
laptops. For that type of environment they can do anything.
The warning is clear. Don't use your company laptop for your non-work
anything. It isn't secure. Use your own computer, laptop, tablet,
phone for your banking and anything that needs security.
Bob
Peter Viskup
Mar 27, 2015, 4:20:04 AM3/27/15
to
Unfortunately we are living in real (not ideal) world and there are cases where the SSL split is definitely needed or should be considered at least.
For example Squid 3.5 coming with new design of SSLBump allowing to do some inspection of the connection prior the real SSLSplit. That gives you possibilities to deeply inspect only traffic which you will recognize as suspicious.http://wiki.squid-cache.org/Features/SslPeekAndSplice
Dan Purgert
Mar 27, 2015, 9:50:05 AM3/27/15
to
On Thu, 26 Mar 2015 15:53:04 -0600, Bob Proulx wrote:
> rog...@queernet.org wrote:
>> Michael Graham wrote:
>> > As MITM proxies in school/business seem to be pretty common in the US
>> > and the UK.
>>
>> I bet your proxy firewall does it too.
>
> I bet not! I think you are confusing https with http. We are talking
> about https here not http. And even then I don't know of any consumer
> grade firewalls that configure an http proxy by default. Those tend to
> only be in industrial grade systems for larger sites for bigger
> companies and campuses. I bet you are thinking of those http proxies.
Not "by default" per se, but the UBNT EdgeRouter series has the
> rog...@queernet.org wrote:
>> Michael Graham wrote:
>> > As MITM proxies in school/business seem to be pretty common in the US
>> > and the UK.
>>
>> I bet your proxy firewall does it too.
>
> I bet not! I think you are confusing https with http. We are talking
> about https here not http. And even then I don't know of any consumer
> grade firewalls that configure an http proxy by default. Those tend to
> only be in industrial grade systems for larger sites for bigger
> companies and campuses. I bet you are thinking of those http proxies.
capabilities to run the squidguard service from the factory (although
blacklists, etc. are up to the end-user).
$100 for the 3-port ERL model, or about $150 for the ER5-PoE model*;
though I suppose it's more a SMB-grade router at a "consumer" price point.
* note that while it has 5 ports it's in a "2 routed + 3 switched"
configuration, as opposed to the more common "WAN + 4 switched" layout of
SOHO stuff from Linksys et. al.
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Chris Bannister
Mar 30, 2015, 7:20:04 AM3/30/15
to
[Please don't top post. Please trim unnecessary content.]
On Thu, Mar 26, 2015 at 02:29:08PM +0100, Peter Viskup wrote:
> It's the way you look at.
> For me it's about prevention...your child can click on some link somewhere
> and see some pictures/videos which will remain in his/her mind (let's say)
> forever and can harm even if it was only seconds they were seen...I am
> speaking about children less than 15 years old...and even older children
> needs protection.
there which contain all sorts of rubbish. The best thing is to educate
your children instead of trying to shelter them from those sites.
--
"If you're not careful, the newspapers will have you hating the people
who are being oppressed, and loving the people who are doing the
oppressing." --- Malcolm X
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Stefan Monnier
Mar 30, 2015, 9:20:03 AM3/30/15
to
> The best thing is to educate your children instead of trying to
> shelter them from those sites.
"Why choose"
> shelter them from those sites.
or
"Security in depth"
Stefan
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
0 new messages