BYOD и Google SSL

Squid supports a feature called SslBump using Bump-Server-First. This basically means browsers will attempt to establish a secure connection between them and the host. The Squid cache gets the intercepted connection and Squid establishes the external connection. Then completes the secure connection to the user. Squid is essentially the certificate authority for user/squid portion so it can decrpyt the traffic and cache/filter it.

As this is something the people who designed SSL thought could be an attack vector there's some bumps to get over. Squid does support dynamic cert generation so cert domains match on the client end and have some of the original cert information go through to the client. All this can go fairly seamlessly if your client devices can trust your CA certificate. That bits a little harder if people are using their own devices.

• iOS can add CA certs with the iPhone Configuration utility
• Doesn't look like it's possible on the droids
• Recent droids can add CA certs
• Windows/OSX of course can.
• Linux is a bit more fiddly depending on the apps you use and what they use as a key store.

The thing to note is your cache is now in control of third party trust for these devices. The information that is mimicked in the dynamic certs goes some way to mitigating this but it's possible to configure squid to blindly trust things which could be bad for the users, if someone were to do a real man in the middle attack further out from your proxy, for instance.

Вы мало что можете сделать .. Вы можете создать само- подписанный SSL-сертификат для google.com и MITM трафик, и тогда вы сможете проверить его и заблокировать по мере необходимости, за исключением того, что это зависит от того, насколько хитры дети, и подпадут ли они на процесс принятия вас -подписанный сертификат.

Это тоже вероятно незаконно. Вы можете полностью заблокировать HTTPS-трафик, но это, вероятно, сломает множество вещей.