When I first saw this I was annoyed, "why is this using relayd to blacklist some websites?".
Blacklisting websites could be done simply using PF and nothing else.
But this guide is an example of using the relayd as described in the recent paper at AsiaBSDCon 2013:
http://www.openbsd.org/papers/relayd-asiabsdcon2013.pdf
The real interesting part for me was how one can use relayd to intercept SSL (https) connections. (Now you can be just like the NSA...) and why it is bad for the whole https system when certificate authorities are hacked.
Under the title, "Create certificates for relayd", the guide says:
Quote:
Create CA key and Certificate :
openssl req -x509 -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/ca.key -out /etc/ssl/ca.crt
I chose « testing_relayd » as password, you will need it in relayd.conf file, and the « ca.crt » need to be installed on all the computers in the network (lan).
|
Besides creating client certificates and putting them on all the client computers, the paper explains how hacking a certificate authority works just as well:
Quote:
Another solution is to obtain an official CA with private key or to get an intermediate CA - a local CA signed by an official CA. Getting an official CA or intermediate CA for SSL Interception is normally only possible for governmental authorities (e.g. TURKTRUST in Turkey), or people who have access to a possibly compromised CA (e.g. DigiNotar in the Netherlands).
|
As the paper says,
Quote:
"SSL Interception" is a fairly common feature in commercial firewall products, for example from Juniper[5] or Check Point[4], why shouldn't it be freely available in OpenBSD as open source software?
This might even have the effect that the increased availability of the feature will raise the awareness of the problem and lead to practical solutions in the future."
|
Let us hope that there is more awareness of the weaknesses in the https system and that a better system is developed.