- From: Martin Thomson <martin.thomson@gmail.com>
- Date: Mon, 30 Mar 2015 12:56:10 -0500
- To: Yoav Nir <ynir.ietf@gmail.com>
- Cc: Adrien de Croy <adrien@qbik.com>, Cory Benfield <cory@lukasa.co.uk>, Glen <glen.84@gmail.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
On 30 March 2015 at 08:03, Yoav Nir <ynir.ietf@gmail.com> wrote: > Not quite. ALPN is carefully engineered to play nice with MitM. The MitM that are installed now (and for the last 8 years) will easily strip the ALPN extension and downgrade client and server to HTTP/1. I'm sure that this statement makes some people very sad. That said, I can't see how a box that is able to MitM TLS can be prevented from doing more than ALPN stripping. If the client trusts it, then it's got carte blanche access.
Received on Monday, 30 March 2015 17:56:38 UTC