Re: multiplexing -- don't do it from Mike Belshe on 2012-04-03 (ietf-http-wg@w3.org from April to June 2012)

From: Mike Belshe <mike@belshe.com>
Date: Tue, 3 Apr 2012 09:11:42 -0700
To: Ray Polk <ray.polk@oracle.com>
Cc: adrien@qbik.com, grmocg@gmail.com, ietf-http-wg@w3.org, squid3@treenet.co.nz
Message-ID: <CABaLYCvXAiRSVAmdq3jHW=BP9YHt4ntv1kcY-HQxkJfAKAZrDA@mail.gmail.com>

On Tue, Apr 3, 2012 at 4:28 AM, Ray Polk <ray.polk@oracle.com> wrote:

> Don't you think there will be another layer to the corporate SSL onion
> once this one is peeled back?
>
>
>
> Banks will race to provide access that ISPs can't see.  Heck, people on
> this mailing list will have an extra layer of encryption to their server
> running at home as soon as their coporation can see all of their SSL
> traffic.  These will all be tunneling over 80 too...  >.<
>

Maybe it exists already:  HSTS?

Mike


>
>
> I don't think we'd be able to claim anything other than an ephemeral
> victory on this one subpoint.
>
>
>
> -Ray
>
>
>
> (further -- with a forced explicit secure proxy, won't ISPs actually be in
> a better position to behave badly than they are right now?)
>
>
> ----- mike@belshe.com wrote:
> |
> | On Mon, Apr 2, 2012 at 3:28 PM, Adrien W. de Croy <adrien@qbik.com>wrote:
> |
>>
>>  |
>> | ------ Original Message ------
>> | From: "Roberto Peon" <grmocg@gmail.com>
>> |
>> | To: "Adrien W. de Croy" <adrien@qbik.com>
>> | Cc: "Mike Belshe" <mike@belshe.com>;"Amos Jeffries" <
>> squid3@treenet.co.nz>;"ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
>> | Sent: 3/04/2012 10:02:56 a.m.
>> | Subject: Re: multiplexing -- don't do it
>> |
>>
>> I don't trust proxies... hopefully that is apparent, but I'm asking for
>> explicit support for them and attempting to deny support for non explicit
>> proxies.
>>
>> I don't have a problem with proxy usage moving to explicit only.  We've
>> been trying to get customers to move in that direction for years.
>>
>> Customers do like using interception though.  Educating them costs
>> money.  Not providing the feature would cost us sales, until we could get
>> commitment from every other vendor to deprecate the feature.
>>
>> if 2.0 can fix this by providing a path forward which doesn't allow it,
>> then everyone will be in the same boat, which is fine with me.
>>
>
> |
> If we got SSL interception to work with trusted proxies, it would be a
> huge feature to a lot of corporate sites. Not having to roll out SSL MITM
> is really valuable to them.
>
> I'm 100% sure that Chrome & Firefox would get behind a solution which
> enforced SSL more often and required browsers to support more features with
> trusted SSL to proxies.
>
> Mike
>

Received on Tuesday, 3 April 2012 16:12:12 UTC