- From: Roland Zink <roland@zinks.de>
- Date: Thu, 24 Jul 2014 13:13:17 -0400
- To: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
- Cc: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
> Am 24.07.2014 um 10:47 schrieb Amos Jeffries <squid3@treenet.co.nz>: > >> On 25/07/2014 1:22 a.m., Roland Zink wrote: >> Accessing web sites through TLS gives the feeling of just talking to >> this site. > > Such feeling is an illusion. Human estimations about security and safety > are notoriously inaccurate. :) > It is often the case that http:// traffic going to a local proxy which > encrypts using only the latest most secure TLS 1.2 ciphers is far better > for safety than the browser itself connecting https:// directly with > silent fallback to outdated TLS or even SSL encryption. > >> The retrieved HTML content however cause the browser to open >> more connections for subresources of the displayed page, e.g. there are >> multiple endpoints and third parties are involved. It is known that in >> some countries it is possible for intelligence agencies to get access to >> the data after decryption has been done. If encryption is done to >> provide real end to end security then the use of any third party >> subresource must be avoided in order to not violate the users privacies >> concerns. For example an intelligence agency can surveil who is browsing >> where by just using some tracking companies data including the referer >> header data, ever cookies and other tracking data. >> >> When a http2 browser is using TLS then it should use a single end-to-end >> connection and refrain from open any further connections. The server is >> the endpoint and is therefore not allowed to forward the request. Any >> proxy / gateway must mark responses with a via header and http2 clients >> using a TLS connection must close the connection if they discover such a >> via header. >> > > Which requirement to add Via exists in RFC2616 and is already soundly > ignored by the intelligence community middelware causing risk. Exactly > The only thing this advice will do is break end-user middleware > providing useful and non-harmful protection. Users AV or adware > protection, corporate TLS tunnel proxies, ISP based AV proxy, content > provider CDN TLS gateway, and such like. > > > Also, please do not confuse TLS and HTTPS. > - Any agent using *TLS* should expect the connection to the server it > is connecting to be secure. Hops beyond that server are not relevant and > offer no guarantee of security. > - Any agent using *HTTPS* should expect end-to-end security even if > that connection goes via several proxy hops. To be more exact I should have used https. > Amos > >
Received on Thursday, 24 July 2014 17:13:40 UTC