W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2012

Re: Semantics of HTTPS

From: Willy Tarreau <w@1wt.eu>
Date: Mon, 6 Aug 2012 23:41:06 +0200
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Cc: Mark Nottingham <mnot@mnot.net>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Message-ID: <20120806214106.GD7647@1wt.eu>
Hi Stephen,

On Mon, Aug 06, 2012 at 10:33:26PM +0100, Stephen Farrell wrote:
> > At the moment the state of affairs has created MITM proxies and we'd better
> > get rid of them by offering a solution to the problem they try to solve.
> 
> The tls WG was offered that option again last week and rejected it
> again. If the httpbis WG want to standardise some kind of mitm without
> changing TLS then that seems to re-define https to me at least.
> 
> Even though mitm hacks exist and people pay for them, the IETF has
> actively and repeatedly refused to standardise that behaviour.

I'm not advocating MITM, quite the opposite : I'm advocating valid
use of proxies via opt-in to put an end to MITM.

The end user chooses in his browser :

    Proxy Connection for HTTPS :
        [ ] proxy may inspect contents fetched over HTTPS  (GET https://)
            except for those sites : _______________
        [ ] proxy may not inspect contents fetched over HTTPS  (CONNECT)

The proxy's policy then enables a number of sites to use CONNECT and
rejects the other ones. The user is then free to opt in for content
inspection or reject it. There's no MITM here. The MITM is what is
currently being done at many places without the user's consent.

Willy
Received on Monday, 6 August 2012 21:41:31 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 6 August 2012 21:41:36 GMT