W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2012

Re: Semantics of HTTPS

From: Mark Nottingham <mnot@mnot.net>
Date: Mon, 6 Aug 2012 17:14:00 -0500
Cc: Willy Tarreau <w@1wt.eu>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Message-Id: <11237AD8-5651-4325-9BE6-F94A2404AD6E@mnot.net>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
On 06/08/2012, at 5:12 PM, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote:

>>    Proxy Connection for HTTPS :
>>        [ ] proxy may inspect contents fetched over HTTPS  (GET https://)
>>            except for those sites : _______________
> Does that whitelisting approach break TLS client auth and channel
> binding? I guess we'd need to see a draft to know but regardless of
> the fact that those are not very widely used, re-defining https
> like this in a way that breaks those features seems like a bad
> plan.
>>        [ ] proxy may not inspect contents fetched over HTTPS  (CONNECT)
> With what default? I'd bet there are many wrinkles here. What about
> use of SNI in TLS to select between hosts?
> Really, I think your proposal doesn't work out in the end. I also
> understand why you propose it, but suspect that like many such
> proposals there are many more problems than are apparent at first.

At first glance, it seems like HSTS would need to be extended to cover the new possibilities…


Mark Nottingham
Received on Monday, 6 August 2012 22:14:24 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 1 October 2015 05:36:54 UTC