W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2012

Re[3]: multiplexing -- don't do it

From: Adrien W. de Croy <adrien@qbik.com>
Date: Mon, 02 Apr 2012 23:18:03 +0000
To: "Adrien W. de Croy" <adrien@qbik.com>, "Robert Collins" <robertc@squid-cache.org>, William Chan (陈智昌) <willchan@chromium.org>
Cc: "Roberto Peon" <grmocg@gmail.com>, "Mike Belshe" <mike@belshe.com>, "Amos Jeffries" <squid3@treenet.co.nz>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-Id: <emcd33b348-753e-4f46-8717-3899768c9b5c@BOMBED>

------ Original Message ------
From: "Adrien W. de Croy" <adrien@qbik.com>
>
>------ Original Message ------ 
>From: "Robert Collins" <robertc@squid-cache.org> 
>>On Tue, Apr 3, 2012 at 10:38 AM, William Chan (陈智昌) 
>><willchan@chromium.org> wrote: 
>>
>>>
>>>Hypothetically speaking, if HTTP/2.0 were TLS only, then either 
>>>vendors 
>>>would have to move to explicit proxies or to SSL MITM... 
>>>
>>
>>
>>You say 'move to', but the reality has been for years that vendors 
>>*have* SSL MITM up and running. Hell, a CA was busted a month or so 
>>back for issuing wildcard certs (top level wildcard no less!) to 
>>organisations that wanted to MITM all their traffic... nevermind that 
>>they could then issue a cert for *any* domain which would be in 
>>default browsers cert list... 
>>
>>SSL MITM isn't something we need to work hard to *avoid*, its 
>>something we have to deal with today. 
>>
>>The best we can do is setup an environment where there is less or 
>>even 
>>no need for SSL MITM, where folk that are doing SSL MITM today can 
>>migrate to something a little less toxic tomorrow. 
>>
>>
>
>
>completely agree. 
>
>MITM is a PITA for vendors, you have to ship your signing cert, and 
>real-time generate spoofed signed certs to fool the browsers. 
  
sorry, when I say "ship", I mean install a cert (e.g. self-signed 
generated on the proxy, not shipped from the vendor) onto all client 
computers.
  
Adrien
>
>
>So providing explicit support would make life a fair bit easier. I'm 
>pretty sure everyone who wrote MITM was holding their nose at the 
>time. 
>
>Adrien 
>
>
>>
>>-Rob 
>>
>>
>
>
Received on Monday, 2 April 2012 23:18:29 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:59 GMT