[ale] Linux UTM

Michael H. Warfield mhw at WittsEnd.com
Fri Apr 18 17:50:12 EDT 2014


On Fri, 2014-04-18 at 15:19 -0400, Boris Borisov wrote:
> I'm trying to build UTM based on debian+dansguardian+squid. So far so
> good everything works. But what to do about https://. Most sites today
> are trying to use secure https even google search. How dansguardian
> can filter content going over https? Any ideas 

For what purpose?  And by that I mean, what is the user environment and
organizational requirements, and not merely "to filter https".  The
answer to that question is very important.

The goal would to have a proxy MITM the SSL connection.

If it's for personal purposes, you can create your own certificate for a
a proxy and just accept it internally.  You have a limited client set so
that's fairly trivial.

A number of very large international corporations set up their own "wild
card certs" (certs for *) and got them signed (no doubt for vast amounts
of money) by certain CA's.  When some of that was discovered, the
proverbial feces hit the proverbial rapidly whirling blades and said
CA's involved where hit with a noreaster of fecal flakes.  All that
said, there may still be some out there or you may have an institutional
CA installed (large outfits often do) and then the proxy has the
wildcard cert and key.

If you're not an international head banger or covert governmental TLA,
you probably need to go with an internal CA and have your users install
it in your root store.  That's actually not a big deal.  I have a CA
myself for things like IPSec, OpenVPN, and all my secure E-Mail stuff.
Nobody should install it for anything other than dealing with me but, if
you do, anything it signs would be accepted just like anything from
Verisign.  The deal is getting that CA installed in your root store.
Then your users add it to their keystore and you create a wildcard cert
for your proxy.  Some orgs this would work.  Some it would not.

So it's context, purpose, and originzationally dependent.  Can you do
it?  Yes, for some value of "can".

Regards,
Mike
-- 
Michael H. Warfield (AI4NB) | (770) 978-7061 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
URL: <http://mail.ale.org/pipermail/ale/attachments/20140418/a546b788/attachment.sig>


More information about the Ale mailing list