-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Sean Crago wrote: | On a more LUG-relevant note, the new ISP seems to be running some sort | of Squid proxy, according to some "that host ain't responding" errors | that explicitly stated they were coming from a Squid install. If they | are running an HTTPS proxy as well then I am extremely nervous - Would | anyone care to share a simple test to determine whether or not they | are and, if possible, simple ways to bypass a transparent proxy? | Bandwidth is scarce in Nepal, but I'm a touch more concerned about | protecting my privacy than limiting my bandwidth consumption.
You need to look at the certificate of the site you're talking to.
It's possible to proxy/NAT/mangle https traffic w/o listening in on the encrypted communication. It's also possible to do a man-in-the-middle decrypt/re-encrypt of the traffic to sniff the contents.
Baring any serious bugs in your crypto implementation, the way to tell if you're talking securely to the site you intend is to examine the certificate used to encrypt the traffic. If the certificate (and hence the public key) are trusted, it should not be possible for anyone to listen-in on your communication, regardless of whether or not they have access to the traffic (assuming, of course, that you trust public-key encryption).
So...make sure the certificate for the far-end was issued to your bank and not to some local Nepal company. And pay close attention to any pop-ups your browser throws about certificates.
...or contact the folks you want to communicate with ITRW and exchange a few one-time pads. :)
- -- Charles Steinkuehler charles@steinkuehler.net