W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2012

Re: Semantics of HTTPS

From: Willy Tarreau <w@1wt.eu>
Date: Mon, 6 Aug 2012 22:43:27 +0200
To: Mark Nottingham <mnot@mnot.net>
Cc: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Message-ID: <20120806204327.GA7647@1wt.eu>
On Mon, Aug 06, 2012 at 03:32:01PM -0500, Mark Nottingham wrote:
> <https://svn.tools.ietf.org/svn/wg/httpbis/draft-ietf-httpbis/latest/p1-messaging.html#https.uri> is slated to define the semantics of HTTPS urls. 
> 
> We currently talk about HTTPS' impact on caches and identity there, but we don't mention one other major effect on HTTP -- the use of CONNECT to proxies. 
> 
> I think we need to define HTTPS as having a semantic of *end-to-end* use of SSL/TLS, and therefore CONNECT to proxies. 
> 
> Make sense?

I'd rather have it be the equivalent of the "GET https://" we've been talking
about, with something different for use with CONNECT. CONNECT is used to
establish a tunnel, and anything passes through (I'm using it on a daily
basis to SSH home).

Many people involved in proxies would like CONNECT to disappear or at least
to work based on fine whitelists (eg: banks, paypal, ...) and use GET https://
instead to provide the ability to use safe connections between the proxy and
the internet, with the ability to block malware.

Right now this is already performed with CONNECT using awful tricks that
totally break HTTP and even prevent software such as Firefox from being
able to upgrade itself, this is a total failure.

Regards,
Willy
Received on Monday, 6 August 2012 20:43:54 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 6 August 2012 20:44:00 GMT