Re: Fwd (TAG): Draft finding - "Transitioning the Web to HTTPS"

Eric,

> On 20 Dec 2014, at 5:52 pm, Eric J. Bowman <eric@bisonsystems.net> wrote:
> 
> Mark Nottingham wrote:
>> 
>> What I find interesting is that by the numbers I’ve seen and talked
>> to people about in the industry, the vast majority of people *don’t*
>> use a proxy cache; that said, what we all seem to be concerned about
>> are those specific cases where they are used, and they really help.
>> 
> 
> Or, don't *think* they use a proxy cache. Most industry insiders will
> say conneg is irrelevant, while using conneg to implement compression,
> so I have low confidence that they're aware of various devices between
> themselves and the websites they access.

Sorry, what’s the logical link there? You’ve lost me...

> 
> I'm about to post this link in another response...
> 
> http://www.cs.washington.edu/research/security/web-tripwire/nsdi-2008.pdf
> 
> ...but it's interesting to note that aside from squid, there's no
> overlap between that document's list of intermediaries, and one we came
> up with on rest-discuss a few years back. They're called "transparent"
> proxies for a reason, even if they don't cache, and HTTPS threatens
> that entire ecosystem.

That “ecosystem” is generally considered to be abusive and illegitimate by the IETF; there’s a long history of condemnation of “interception” a.k.a. “transparent” proxies in the IETF, and enumeration of lots of problems they cause. 

E.g., see:
  http://tools.ietf.org/html/rfc3143
  http://tools.ietf.org/html/draft-hildebrand-middlebox-erosion-01

It also has never been a recognised mode of proxying in HTTP.


>>> 3) We had an interesting offline discussion at the privacy workshop
>>> on “imagine if every router on the internet did NAT”.  This means
>>> that the ability to trace people by IP address would be curtailed:
>>> people often don’t both to reduce fingerprinting because the source
>>> IP address has already ‘given the game away'. It’s an interesting
>>> thought experiment, but its impact on security might be negative.
>>> (And there are many other problems, notably pper-peer connections
>>> for things like telephony.)
>>> 
>>> Maybe worth a paragraph?
>> 
>> Once one scratches the surface, you can find a multitude of security
>> and privacy issues on the Web and Internet. While they’re important
>> issues to consider, I’m striving to NOT make this finding the
>> be-all-and-end-all of security and privacy, because it will make it
>> that much difficult to agree upon, read, and understand. Small
>> steps...
>> 
> 
> Provided those steps are going in the right direction, vs. painting the
> Web into a corner.
> 
> FWIW, my NAT gives me away due to timezone and clock skew. Those two
> data points equate to like, 1 in 500. Orthogonal, but add Opera and
> 1600x1200 resolution, and four data points nail me right down. Being a
> modern dinosaur really makes me stick out...
> 
> While I can appreciate the desire for TAG to crank out a producible, I
> have issues with anointing TLS when it doesn't address the root problem
> of page integrity, while doing away with caching I may very well need
> even more, if Net Neut goes the way of the Dodo.

I’m really not following you, sorry.

Cheers,


--
Mark Nottingham   http://www.mnot.net/

Received on Saturday, 20 December 2014 07:14:00 UTC