Post Reply 
Default SSL Settings
Oct. 06, 2010, 04:29 AM
Post: #2
RE: Beta Config (Sep 19 2010)
(Oct. 05, 2010 05:19 PM)sidki3003 Wrote:  After a longer while of thinking about this matter, i came to the conclusion that such a change would be irresponsible:
- While HTTPS was a more exclusive thing until the late nineties, you can now get HTTPS server certificates for free.
- HTTPS is called "secure HTTP", because the data get passed from server to client in encrypted format. Everything else is a myth.
- There is no serious barrier at all, that would prevent malicious code from being sent over HTTPS. (However, such incidents are very uncommon.)

Ergo:
- Changing "UseSSLeay = FALSE" would leave those users in the cold, who trust in the upcoming config being at least as secure as the previous ones.
- If you don't like to filter secure pages (in the above explained sense!), you can set that manually anytime, it takes less then 20 seconds...
I have no problem with whatever decision is made. Personally, I would prefer to use https filtering, but my understanding from previous discussions was that the expected filtering happened to fail in a fair number of https situations.

The default configuration/documentation can be directed toward a crowd who will (should) take the extra steps to enable https filtering, or toward a crowd who will not. If users are informed about the advantage of https filtering and given proper direction for initial installation, the DLL message troubles can be avoided and the better configuration choice will be delivered as the default.

Does UseSSLEAY=TRUE provide security if users are not told that browser https proxy configuration and DLL installation are REQUIREMENTS for the desired "normal" configuration?

What I'm getting at is that Sidki's documentation represents the https filtering as optional, where the new user can just install the software, configure the browser for http proxy and do nothing else. Installing the dll files and configuring the browser to use Prox. for https is additional action that must be taken, if this is the default preference. The documentation for these steps belongs in the "normal" installation description of Sidki's website Readme, rather than in the optional section.

Just one more observation about the current state of affairs: with UseSSLeay=TRUE, and the user not doing the other configuration steps - believing that UseSSLeay is not active by default - the Prox. gui shows a checkmark, thus a somewhat misleading indication of https filtering status. If a user were to uncheck and then recheck this box, attempting to get back to the "oob" configuration, the "mysterious" dll errors will appear. The user notices it was checked previously and Prox. did not present errors. With UseSSLEAY=FALSE and no expectations of https filtering in place as default, the misleading indication and dll errors are less likely.

I'm making a suggestion to review and rewrite the Readme documentation on the Sidki website, and include mention of the full installation requirements for the desired configuration. Users like me who do indeed "RTFM" for accuracy will not be disappointed.
Add Thank You Quote this message in a reply
Post Reply 


Messages In This Thread
Default SSL Settings - sidki3003 - Oct. 05, 2010, 05:19 PM
RE: Default SSL Settings - wammie - Oct. 09, 2010, 07:37 AM
RE: Default SSL Settings - Mele20 - Oct. 09, 2010, 01:28 PM
RE: Default SSL Settings - JJoe - Oct. 09, 2010, 03:18 PM
RE: Default SSL Settings - wammie - Oct. 09, 2010, 03:33 PM
RE: Default SSL Settings - JJoe - Oct. 09, 2010, 05:08 PM
RE: Default SSL Settings - wammie - Oct. 15, 2010, 04:12 AM
RE: Default SSL Settings - Mele20 - Oct. 25, 2010, 10:43 PM
RE: Default SSL Settings - JJoe - Oct. 26, 2010, 12:19 AM
RE: Default SSL Settings - Mele20 - Oct. 26, 2010, 12:49 AM
RE: Beta Config (Sep 19 2010) - wammie - Oct. 06, 2010 04:29 AM
RE: Beta Config (Sep 19 2010) - sidki3003 - Oct. 06, 2010, 06:11 PM

Forum Jump: