W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: HTTP 2.0 mandatory security vs. Amateur Radio

From: Nicolas Mailhot <nicolas.mailhot@laposte.net>
Date: Fri, 15 Nov 2013 08:07:20 +0100
Message-ID: <89cc851d90ad23dec99fe063cf15568b.squirrel@arekh.dyndns.org>
To: "Willy Tarreau" <w@1wt.eu>
Cc: "Ryan Hamilton" <rch@google.com>, "David Morris" <dwm@xpasc.com>, "Bruce Perens" <bruce@perens.com>, "Roberto Peon" <grmocg@gmail.com>, "James Snell" <jasnell@gmail.com>, "HTTP Working Group" <ietf-http-wg@w3.org>, "Julian Reschke" <julian.reschke@gmx.de>, "Stephen Farrell" <stephen.farrell@cs.tcd.ie>

Le Ven 15 novembre 2013 07:47, Willy Tarreau a écrit :

> The CONNECT method is used to open tunnels through proxies and all proxy
> users who browse in HTTPS use it.

Which makes it a security nightmare, since its allows tunneling any
protocol without control and there are products on the market that
advertise the ability of using connect to bypass any firewall rule.

Thus I resent pretending that connect makes http reliable since it main
point today seems to be to tunnel random non-http junk through security
equipments.

(and I know any encrypted payload by nature can not be controlled but
there is a difference between accepting encrypted bodies inside http
frames with http signalling and tunnelling whole protocols pretty much
unchanged)

-- 
Nicolas Mailhot
Received on Friday, 15 November 2013 07:07:51 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:19 UTC