W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2015

Re: SSL/TLS everywhere fail

From: Martin Thomson <martin.thomson@gmail.com>
Date: Sat, 5 Dec 2015 09:45:48 +1100
Message-ID: <CABkgnnVMJg_0og=iW__rzK+jUG935tuTumsMgZiJLhx-6pM-GQ@mail.gmail.com>
To: Alex Rousskov <rousskov@measurement-factory.com>
Cc: Ted Hardie <ted.ietf@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>
On Dec 5, 2015 8:21 AM, "Alex Rousskov" <rousskov@measurement-factory.com>
wrote:
> Unfortunately, MitM attacks on consenting participants are increasingly
> necessary today.

Isn't a big part of this debate over a disagreement about what is necessary?

> No, secure communication with forward proxies is currently not supported
> by many popular browsers. They can tunnel HTTPS through a forward HTTP
> proxy, but they cannot be configured to encrypt their connection to the
> forward proxy using TLS.

Firefox definitely supports https proxies. I think that Chrome does too.

> I have consented. I have set up an explicit proxy. The proxy plays by
> the rules. And yet nothing works! At this point, my employer is forced
> to attack my HTTPS traffic even though neither they nor me want to
> resort to those dirty tricks.

But you are not the only party that has to consent. This is a two party
conversation, and it is very clear that the other party has not consented.
(Leave aside for the moment that this is still just a technical limitation,
you could write your own browser that would work in this situation. I could
even tell you how to disable pinning...)
Received on Friday, 4 December 2015 22:46:20 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:40 UTC