[CentOS] Squid and HTTPS interception on CentOS 7 ?

Tue Mar 6 18:10:38 UTC 2018
hw <hw at gc-24.de>

Valeri Galtsev wrote:
> On 03/05/18 08:34, Bill Gee wrote:
>> On Monday, March 5, 2018 7:23:53 AM CST Leon Fauster wrote:
>>> Am 05.03.2018 um 13:04 schrieb Nicolas Kovacs <info at microlinux.fr>:
>>>> Le 28/02/2018 à 22:23, Nicolas Kovacs a écrit :
>>>>> So far, I've only been able to filter HTTP.
>>>>> Do any of you do transparent HTTPS filtering ? Any suggestions,
>>>>> advice, caveats, do's and don'ts ?
>>>> After a week of trial and error, transparent HTTPS filtering works
>>>> perfectly. I wrote a detailed blog article about it.
>>>> https://blog.microlinux.fr/squid-https-centos/
>>> I wonder if this works with all https enabled sites? Chrome has
>>> capabilities hardcoded to check google certificates. Certificate
>>> Transparency, HTTP Public Key Pinning, CAA DNS are also supporting
>>> the end node to identify MITM. I hope that such setup will be unpractical
>>> in the near future.
>>> About your legal requirements; Weighing is what courts daily do. So,
>>> such requirements are not asking you to destroy the integrity and
>>> confidentiality >95% of users activity. Blocking Routing, DNS, IPs,
>>> Ports are the way to go.
>>> -- 
>>> LF
>> Although not really related to CentOS, I do have some thoughts on this.  I
>> used to work in the IT department of a public library.  One of the big
>> considerations at a library is patron privacy.  We went to great lengths to
>> NOT record what web sites were visited by our patrons.  We also deny requests
>> from anyone to find out what books a patron has checked out.
> I bet, your servers never embedded links to anything external. If it is external link, it is requested to open in new browser window. No part of the page should need external (not living on our server) content. That was the way we did it since forever.
> It sounds like I will have to fight soon against "google-analytics" glued into each page of our websites. It is amazing that people who have no knowledge rule technical aspects of IT in many places...

Yes, why would students be allowed to contact such sites?  One could argue which
is worse: Being spied upon by trackers and having their privacy taken away to allow
the manipulation of the unaware student by ruthless entities, or allowing the
students to follow their natural desire to explore their sexuality, which my lead
them to watching porn.

There isn´t even a beginning of an understanding what kind of damage might be done
with the information gathered and by getting people used to having no privacy, and
protection against it is severely lacking.  Are the students capable of deciding
whether they want to be the subjects of 100% surveillance or not, do they understand
what it means, how well are they being informed about how to protect themselves
against it, and do they have the means to do it?