W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: Moving forward on improving HTTP's security

From: Nicolas Mailhot <nicolas.mailhot@laposte.net>
Date: Thu, 14 Nov 2013 12:24:27 +0100
Message-ID: <1b327a17d9e12ce91cc536b4cbdb8586.squirrel@arekh.dyndns.org>
To: "Patrick McManus" <pmcmanus@mozilla.com>
Cc: "William Chan (陈智昌)" <willchan@chromium.org>, "Adrien de Croy" <adrien@qbik.com>, "Stephen Farrell" <stephen.farrell@cs.tcd.ie>, "Willy Tarreau" <w@1wt.eu>, "Mike Belshe" <mike@belshe.com>, "Tao Effect" <contact@taoeffect.com>, "Tim Bray" <tbray@textuality.com>, "James M Snell" <jasnell@gmail.com>, "Mark Nottingham" <mnot@mnot.net>, "HTTP Working Group" <ietf-http-wg@w3.org>

> On Wed, Nov 13, 2013 at 7:09 PM, William Chan (陈智昌)
> <willchan@chromium.org>replied to Wily:
>
>>
>> Just to be clear, the MITM works because the enterprises are adding new
>> SSL root certificates to the system cert store, right? I agree that that
>> is
>> terrible. I wouldn't use that computer :) I hope we increase awareness
>> of
>> this issue.

Then you won't be paid because the internal reporting app where you
declare your work hours will use the same PKI and you'll need the cert to
access it. (and if you say that's bad: that the same trick Google uses by
putting its recapcha service for example on the same SNI than other Google
services. you can't allow one without the others)

You won't force enterprises not to MITM without giving them alternatives
to monitor their traffic, and you won't help employees by having them
fight their employer on such issues (if anything, they have better stuff
to fight about).

-- 
Nicolas Mailhot
Received on Thursday, 14 November 2013 11:24:55 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:19 UTC