Hello Sven and the other,
thanks for help.
I thought there is a simple and secure way to redirect to an 'This Site has
been blocked' Page for HTTP and HTTPS. But when I must destroy the safety from
HTTPS this isn't an option.
It is a nice to have feature in my project, so the user can see this site has
been blocked and there are no connection troubles (the browser error page).
Greetings,
Michael
> "Sven Hartge" wrote:
> Bob Proulx wrote:
> > Sven Hartge wrote:
> >> Michael I. wrote:
>
> >>> Is there really no way to redirect https request to an errorpage
> >>> with squid3+squidguard?
>
> >> Long answer: The only way is to setup a transparent proxy,
> >> intercepting any outbound connection and terminating the encryption
> >> on the proxy. You will need a fake CA certificate with which the
> >> proxy is able to create fake server certificates so the client still
> >> thinks it is connected to the real server.
> >>
> >> And here it gets a) dangerous and b) expensive.
>
> > It is extremely bad, bad, bad, as well as dangerous. I haven't been
> > following the news in great detail but read all about Komodia's recent
> > news articles. Komodia's cracking tools are used in Superfish and
> > Lenovo was in trouble for pre-installing Superfish.
>
> There are network policy/security appliances in the enterprise world,
> which implement a scanning proxy for HTTPS. They come with a either a
> wildcard certificate for * (signed by a valid CA!) or a fake CA
> certificate, which you install onto your computers to enable the
> appliance to function.
>
> This is of course very dangerous if you don't know what you are doing,
> but sometimes there are no other options (for example HIPAA, SOX, PCI,
> ...) if you have to absolutley control the flow and content of data.
>
> But then, if you are in the area where you need such
> MitM-Filter-SSL-breaking-proxies, then you already know of how to do it
> and when to do it.
>
> If you don't know how to do it and when to do it, chances are, you don't
> need it.
>
> Guessing from Michaels TLD, he is German. This means there are several
> other things to consider, based on the environment this is done in. If
> this is for a company or govermental agency, the Betriebsrat (works
> council) or the Personlrat and the local Datenschutzbeauftragter (data
> security official) has to be involved.
>
> Grüße,
> Sven.
>
> --
> Sigmentation fault. Core dumped.
>
>
> --
> To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
> Archive: https://lists.debian.org/kbfqc92ro...@mids.svenhartge.de
>
>
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive:
https://lists.debian.org/trinity-16611559-8bb9-4e79-9f61-9b027df65c5b-1427099581524@3capp-gmx-bs01
