W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: What will incentivize deployment of explicit proxies?

From: Amos Jeffries <squid3@treenet.co.nz>
Date: Tue, 10 Dec 2013 18:43:55 +1300
Message-ID: <52A6AA1B.6090504@treenet.co.nz>
To: ietf-http-wg@w3.org
On 10/12/2013 3:02 p.m., Stephen Farrell wrote:
> 
> 
> On 12/10/2013 01:45 AM, William Chan (ι™ˆζ™Ίζ˜Œ) wrote:
>> Just so we're clear, the common methods already in use impact all
>> consumers of TLS, not just browsers. They're getting added to the
>> system certificate store, so they affect all applications. But the
>> primary reason that it gets installed in the system certificate store
>> is because these proxies want to MITM browser connections.
> 
> Right. And if vendors, operators or users do that that's their
> responsibility. But if we do/endorse that, then we (the IETF)
> have to bear some responsibility for other uses of TLS or we're
> not doing our job. At least to the level of knowing what might
> be broken, but even that's a huge job. So I really think the
> HTTP proxy issue is best addressed via HTTP mechanisms to be
> honest.
> 

And there is the rub. You see there are no HTTP mechanisms until the TLS
has been MITM'd away.

Amos
Received on Tuesday, 10 December 2013 05:44:24 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:20 UTC