W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: Moving forward on improving HTTP's security

From: Amos Jeffries <squid3@treenet.co.nz>
Date: Fri, 15 Nov 2013 03:19:23 +1300
Message-ID: <5284DBEB.6070205@treenet.co.nz>
To: ietf-http-wg@w3.org
On 14/11/2013 10:34 p.m., Adrien de Croy wrote:
> 
> 
> ------ Original Message ------
> From: "William Chan (ι™ˆζ™Ίζ˜Œ)" <willchan@chromium.org>
>> On Wed, Nov 13, 2013 at 2:36 PM, Adrien de Croy <adrien@qbik.com> wrote:
>>
>>>
>>> We added MITM in WinGate mostly because Google and FB went to https. 
>>> Google and FB you may take a bow.
>>
>> FWIW, I'm happy those companies went HTTPS, and I'm sad that y'all are
>> offering MITM features in your products. I suppose that if I ask you
>> not to MITM traffic, you wouldn't listen, would you? :P If you feel
>> that MITM is bad for the web, why are you implementing this? Is it
>> simply because if you don't, then someone else will and people will
>> switch from your product?
> we only write the proxy software and provide the feature.  The customer
> decides whether to turn it on or not.
> The customers have been asking for this feature for years. We held off,
> but had to concede when Google and FB went to https, as the rate of
> requests went up.  Much of the competition had been offering it for
> several years.
> 
> So do you really think the vendor company that steadfastly refuses to
> offer it will be the one left standing?  There are already plenty of
> vendors offering this feature.  It's a competitive necessity.
> 
>>
>>>
>>> Does this improve security of the web overall?  IMO no.  People can
>>> now snaffle banking passwords with a filter plugin.
>>
>> Just to be clear, the MITM works because the enterprises are adding
>> new SSL root certificates to the system cert store, right? I agree
>> that that is terrible. I wouldn't use that computer :) I hope we
>> increase awareness of this issue.
> correct.  You can tell if you're being intercepted if the root cert
> doesn't look like who it should be.
> 
>>
>>>
>>> You really want to scale this out?  How will that make it any better?
>>
>> I believe that making communications secure by default will overall
>> improve the security of the web as long as most devices don't have
>> these additional SSL root certificates used by the MITM proxies. You
>> are taking a cynical view on the outcome when communications become
>> secure by default. I disagree.
> I'm not talking about a hypothetical future.  We're seeing it now.  More
> and more MITMs are being deployed.  That's not a cynical or pessimistic
> view, it's simply accepting reality.
> 

We need some numbers to back this up.


* Here is the graph of Squid user queries about intercept / MITM proxy.
For bias reduction I have eliminated the Squid Project members who
respond to a lot of user queries.

http://markmail.org/search/?q=intercept+list%3Aorg.squid-cache.squid-users+-from%3A%22Henrik+Nordstrom%22+-from%3A%22Alex+Rousskov%22+-from%3A%22Amos+Jeffries%22

Around about May 2012 an upward spike of more than double the normal
request rate at which the volume has so for over a year now remained
steady relative to the cyclic nature of queries.
(https://blog.mozilla.org/futurereleases/2012/05/09/rolling-out-https-google-search/)


* SSL MITM by comparison was under discussion for several years before
the sudden spike.


* Discussion of HTTPS shows a flat graphs, but the message topics switch
from primarily discussion of HTTPS in reverse-proxy installations,
towards interception of HTTPS.

* Discussion of transparent proxy shows a flat graph. There is an odd
reduction in the last few years but thet is matched by when we split the
traffic mode config options into intercept/sslbump/accel and started
down-playing teh term "transparent proxy" for MITM discussion.


Amos
Received on Thursday, 14 November 2013 14:19:55 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:19 UTC