W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2013

Re: HTTPS, proxying, and all that...

From: Poul-Henning Kamp <phk@phk.freebsd.dk>
Date: Fri, 11 Jan 2013 22:03:59 +0000
To: Eliot Lear <lear@cisco.com>
cc: Stephen Farrell <stephen.farrell@cs.tcd.ie>, Ilya Grigorik <ilya@igvita.com>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <28184.1357941839@critter.freebsd.dk>
In message <50F089A4.7070101@cisco.com>, Eliot Lear writes:

>How does this differ from what we have today?

Today HTTP and HTTPS does not offer the concept of a (grudingly!)
trusted proxy:  There is no way to have security from your browser
to a proxy which implements your companys IT policies, and from
that proxy to your banks net-bank service.

Either your proxy gives up implementing the policy, and let you
connect HTTPS (via CONNECT) end-to-end, or your proxy denies
you access, since it cannot implement its policy.

The problem is that people have found a workaround for this HTTPs
shortcoming:  They (make you) install a bogo-certificate on your
machine, which terminates your HTTPS on the proxy, so it can implement
its policy, and God knows what happens from there...

And with that, I'm signing off for tonight.

We've dicussed this issue previously, people doubted it happened
in the real world, I have now pointed to a news-item that settles
that question, and we can each continue our crusades against our
respective windmills.

Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.
Received on Friday, 11 January 2013 22:04:23 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:09 UTC