W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2012

Re: Mandatory encryption

From: Willy Tarreau <w@1wt.eu>
Date: Thu, 19 Jul 2012 12:23:02 +0200
To: Anil Sharma <asharma@sandvine.com>
Cc: Roberto Peon <grmocg@gmail.com>, Paul Hoffman <paul.hoffman@gmail.com>, Phillip Hallam-Baker <hallam@gmail.com>, "grahame@healthintersections.com.au" <grahame@healthintersections.com.au>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>, Mike Belshe <mike@belshe.com>
Message-ID: <20120719102302.GJ16208@1wt.eu>
On Thu, Jul 19, 2012 at 10:17:39AM +0000, Anil Sharma wrote:
> When the request is sent in clear text, the proxy modifies it to force
> "safesearch=on" in the requests so that Google refrains from returning
> -----------------------------> Why can't TLS proxy do it ( anyways I thought
> the browser or the user decides it but even if lets its company policy and
> proxy does it for all the request)   Just trying to understand......

It would require deciphering the stream, sending a fake certificate
pretending to be the real server. Some proxies do this right now, this
is one of the ugly tricks we're seeing more and more and that a number
of people want to see disappear in favor of a user choice of letting
the proxy analyze the contents (the principle of the GET https://). Also
if you've read this thread, having a proxy tamper your request in HTTPS
without you being aware of it is quite contrary to the directions being
taken :-)

Regards,
Willy
Received on Thursday, 19 July 2012 10:23:33 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 19 July 2012 10:23:39 GMT