- From: Willy Tarreau <w@1wt.eu>
- Date: Fri, 15 Nov 2013 08:20:19 +0100
- To: Nicolas Mailhot <nicolas.mailhot@laposte.net>
- Cc: Ryan Hamilton <rch@google.com>, David Morris <dwm@xpasc.com>, Bruce Perens <bruce@perens.com>, Roberto Peon <grmocg@gmail.com>, James Snell <jasnell@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>, Julian Reschke <julian.reschke@gmx.de>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
On Fri, Nov 15, 2013 at 08:07:20AM +0100, Nicolas Mailhot wrote: > > Le Ven 15 novembre 2013 07:47, Willy Tarreau a écrit : > > > The CONNECT method is used to open tunnels through proxies and all proxy > > users who browse in HTTPS use it. > > Which makes it a security nightmare, since its allows tunneling any > protocol without control and there are products on the market that > advertise the ability of using connect to bypass any firewall rule. Yes for sure, just like Upgrade. But most of the MITM boxes that make port 80 unreliable are caches, load balancers and web compressors. They're only there to reduce internet access costs, not for security, so that's not a problem. However I've already heard an ISP ask me if it was possible to transparently intercept https using haproxy because the increase in https traffic was reducing the efficiency of their caches to a point of becoming business critical. I said no we can't do that, but I'm quite convinced they found a solution since then. Willy
Received on Friday, 15 November 2013 07:20:49 UTC