- From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
- Date: Thu, 14 Nov 2013 01:37:27 +0000
- To: Willy Tarreau <w@1wt.eu>, "William Chan (?????????)" <willchan@chromium.org>
- CC: Adrien de Croy <adrien@qbik.com>, Mike Belshe <mike@belshe.com>, Tao Effect <contact@taoeffect.com>, Tim Bray <tbray@textuality.com>, James M Snell <jasnell@gmail.com>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
On 11/14/2013 01:09 AM, Willy Tarreau wrote: > least detestable The second word of that phrase seems to me to be almost perfectly appropriate for MITM attack product features. But, importantly, I think your use of the phrase does expose the reality of what we all think of doing that, even, I suspect and hope, those who do it for fun or profit. Thank you. As to the supposed requirements that lead to those detestable product features - if enforcing policy on HTTP traffic is what is claimed to be required then I would love to see this wg go figure out ways of doing that using HTTP (rather than *ab*using TLS) so as to not affect the many many other protocols that depend on TLS not being as detestable as the implementations you're talking about. But personally speaking I don't know how you can do that without screwing up the many other protocols that depend on https:// and in the process making those also detestable. Cheers, S. PS: "Supposed" above is I think fair for most of the "requirements" claimed in this space. There is some validity to realtime inbound malware scanning but the rest seems like nonsense. I do wonder why people who pay for those products don't realise this;-)
Received on Thursday, 14 November 2013 01:37:52 UTC