Settings for Bank & Health

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Settings for Bank & Health

Al Grant
Hi,

I have been told it would be good practice to respect users privacy when it comes to banking and health websites.

I am not sure whether this means not logging those websites, not caching them or something else?

Can someone please elaborate, and perhaps how it would be achieved? I am currently running a non transparent proxy with wpad.

Thanks

AG


--
"Beat it punk!"
- Clint Eastwood
 

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Settings for Bank & Health

Matus UHLAR - fantomas
On 13.03.18 20:37, Al Grant wrote:
>I have been told it would be good practice to respect users privacy when it
>comes to banking and health websites.

it's good practice respect users privacy when it comes to all websites.

>I am not sure whether this means not logging those websites, not caching
>them or something else?

in fact, both. However it's not a problem unless you bump SSL connections.
without it, you just see CONNECT requests in proxy logs, which doesn't
violate privacy.
(at least not much, you know where user connects but that's all).

in some countries you are obligated to save the logs for some time.

>Can someone please elaborate, and perhaps how it would be achieved? I am
>currently running a non transparent proxy with wpad.

Bumping SSL connections means decrypting the traffic and removing privacy.
(SSL is designed for end-to-end encryption and valication).

Bumping decrypts the connection, provide own certificates, and make own SSL
connection to the web sites.

Users will not see the green bar commonly seen at banking sites, coming from
extended validation certificate.

if you do ssl bumping, you must be very careful - because of both legal and
technical issues.

If you don't, you should have no problem.
--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux IS user friendly, it's just selective who its friends are...
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Settings for Bank & Health

Al Grant


On Tue, Mar 13, 2018 at 9:06 PM, Matus UHLAR - fantomas <[hidden email]> wrote:
On 13.03.18 20:37, Al Grant wrote:
I have been told it would be good practice to respect users privacy when it
comes to banking and health websites.

it's good practice respect users privacy when it comes to all websites.

I am not sure whether this means not logging those websites, not caching
them or something else?

in fact, both. However it's not a problem unless you bump SSL connections.
without it, you just see CONNECT requests in proxy logs, which doesn't
violate privacy.


So would you see all the URLs for a given site in the logs?
 
.

Bumping SSL connections means decrypting the traffic and removing privacy.
(SSL is designed for end-to-end encryption and valication).

Bumping decrypts the connection, provide own certificates, and make own SSL
connection to the web sites.

Users will not see the green bar commonly seen at banking sites, coming from
extended validation certificate.


I don't see the need to go as far as filtering traffic based on content. However I would like to be able to view the URLs visited.

Thanks for the explanation.

--
"Beat it punk!"
- Clint Eastwood
 

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Settings for Bank & Health

Matus UHLAR - fantomas
>> On 13.03.18 20:37, Al Grant wrote:
>>> I have been told it would be good practice to respect users privacy when
>>> it comes to banking and health websites.
>>> I am not sure whether this means not logging those websites, not caching
>>> them or something else?

>On Tue, Mar 13, 2018 at 9:06 PM, Matus UHLAR - fantomas <[hidden email]>
>wrote:
>> in fact, both. However it's not a problem unless you bump SSL connections.
>> without it, you just see CONNECT requests in proxy logs, which doesn't
>> violate privacy.

On 13.03.18 21:17, Al Grant wrote:
>So would you see all the URLs for a given site in the logs?

No. CONNECT only provides host/IP and port, nothing more.

>> Bumping SSL connections means decrypting the traffic and removing privacy.
>> (SSL is designed for end-to-end encryption and valication).
>>
>> Bumping decrypts the connection, provide own certificates, and make own SSL
>> connection to the web sites.
>>
>> Users will not see the green bar commonly seen at banking sites, coming
>> from
>> extended validation certificate.
>>
>>
>I don't see the need to go as far as filtering traffic based on content.
>However I would like to be able to view the URLs visited.

viewing URLs in HTTPS connections requires decrypting SSL.
decrypting SSL removes privacy and brings problems.
don't decrypt unless you really have to.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"To Boot or not to Boot, that's the question." [WD1270 Caviar]
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users