Sven Hartge <s...@svenhartge.de> wrote:
Michael I. <linux-michae...@abwesend.de> wrote:
But I have a new problem, I want to have a transparent proxy for http
this works fine but when I add the iptables rule for https the loading
won't work.
Of course not. That this is not working is the _whole point_ of any
end-to-end encrypted connection.
What you are effectivly trying to do is an Man-in-the-Middle "attack".
All I want is to protect children of harmful content (adult content).
You cannot transparently proxy *any* encrypted connection without major
trickery, like I wrote in my first mail. You would need a fake CA
certificate (why this is a _very_ bad idea you just have to look at the
latest CNNIC and MSC debacle: (sorry, German URL)
<https://www.psw-group.de/blog/cnnic-signiert-falsche-google-zertifikate/2112>
or
<http://www.heise.de/security/meldung/Google-deckt-erneut-Missbrauch-im-SSL-Zertifizierungssystem-auf-2583414.html>),
and have your proxy terminate the end-to-end encryption by issuing a fake
certificate on the fly, so that the client is satisfied and then create another new
encrypted connection to the intended end-point.
There _are_ security appliances out there which work in that way but
they are considered _very_ *very* bad practice and should be avoided at
all costs.
I don't want to fake a CA certificate because the danger.
Is there any other way to block those sites? Maybe block the IPs in the
firewall, but I think this is a big hassle?
Grüße,
Sven.
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/551403f7.7080...@abwesend.de
