Re: [hrpc] HTTP status code for "access blocked to protect you against malware/phishing/etc"? from Ted Lemon on 2017-11-20 (ietf-http-wg@w3.org from October to December 2017)

From: Ted Lemon <mellon@fugue.com>
Date: Mon, 20 Nov 2017 16:04:28 +0000
To: Stephane Bortzmeyer <bortzmeyer@nic.fr>
Cc: ietf-http-wg@w3.org, hrpc@irtf.org
Message-Id: <CACF0BF3-26B8-4E22-8785-3E53037B45EE@fugue.com>

On Nov 20, 2017, at 10:33 AM, Stephane Bortzmeyer <bortzmeyer@nic.fr <mailto:bortzmeyer@nic.fr>> wrote:
> It seems to me that a status code for "intercepted and blocked for
> your safety" could be useful for 2) and probably for 1).

In the first case, the point is that if the browser says "this was blocked by FOO," that's going too far, and if you allow whoever blocked it to say why it was blocked, that becomes an attack surface for anyone on-path.

What David suggested was that we need a way to cryptographically sign these messages so that we can validate who sent them.   If we trust that entity, then we can present the information to the user; otherwise not.   If it's the local government, we can trust them in the sense of believing that it was the local government that did the intercept, not someone else, and that can be presented to the user.   Etc.

Received on Monday, 20 November 2017 16:45:18 UTC