W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2015

Re: Call for Adoption: Encrypted Content Encoding

From: Roland Zink <roland@zinks.de>
Date: Tue, 1 Dec 2015 01:19:11 +0100
To: Jim Manico <jim@manicode.com>, ietf-http-wg@w3.org
Message-ID: <565CE77F.80709@zinks.de>
Am 01.12.2015 um 00:32 schrieb Jim Manico:
> > TLS is also end-to-end
>
> No way is that true. TLS per the standard can be MITM'ed by proxies in 
> ways that subvert both certificate pinning and HSTS in ways that do 
> NOT inform the user in any browser today. I'm happy to provide 
> references to this if you like.
>
The browser will build a end to end TLS tunnel through known proxies. 
Intercepting proxies may do MITM and
RFC7469 says it is allowed for clients to turn off pin validation based 
on some policy and still be compliant. Is this what you want to reference?

However it is also compliant to not do this and do pin validation.

RFC 7469 section 2.6. Validating Pinned Connections

  ...

  It is acceptable to allow Pin
    Validation to be disabled for some Hosts according to local policy.
    For example, a UA may disable Pin Validation for Pinned Hosts whose
    validated certificate chain terminates at a user-defined trust
    anchor, rather than a trust anchor built-in to the UA (or underlying
    platform).
Received on Tuesday, 1 December 2015 00:19:38 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:40 UTC