- From: Roland Zink <roland@zinks.de>
- Date: Tue, 1 Dec 2015 01:19:11 +0100
- To: Jim Manico <jim@manicode.com>, ietf-http-wg@w3.org
Am 01.12.2015 um 00:32 schrieb Jim Manico:
> > TLS is also end-to-end
>
> No way is that true. TLS per the standard can be MITM'ed by proxies in
> ways that subvert both certificate pinning and HSTS in ways that do
> NOT inform the user in any browser today. I'm happy to provide
> references to this if you like.
>
The browser will build a end to end TLS tunnel through known proxies.
Intercepting proxies may do MITM and
RFC7469 says it is allowed for clients to turn off pin validation based
on some policy and still be compliant. Is this what you want to reference?
However it is also compliant to not do this and do pin validation.
RFC 7469 section 2.6. Validating Pinned Connections
...
It is acceptable to allow Pin
Validation to be disabled for some Hosts according to local policy.
For example, a UA may disable Pin Validation for Pinned Hosts whose
validated certificate chain terminates at a user-defined trust
anchor, rather than a trust anchor built-in to the UA (or underlying
platform).
Received on Tuesday, 1 December 2015 00:19:38 UTC