Re: MITM and proxy messages [was: Call for Adoption: draft-song-dns-wireformat-http] from Walter H. on 2016-08-07 (ietf-http-wg@w3.org from July to September 2016)

From: Walter H. <Walter.H@mathemainzel.info>
Date: Sun, 07 Aug 2016 19:25:22 +0200
To: ietf-http-wg@w3.org
Message-ID: <57A76F02.4020708@mathemainzel.info>

On 06.08.2016 02:25, Mark Nottingham wrote:
> Would this help?
>
> https://mnot.github.io/I-D/proxy-explanation/
>
> Keep in mind that only helps for configured proxies.
>
configured proxies are not the bug; why not just simpy use plain HTML?

your sample chould then just be this simple:

HTTP/1.1 403 Forbidden
Content-Type: text/html
Cache-Control: no-cache

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML>
<HEAD>
<META  HTTP-EQUIV="Content-Type"CONTENT="text/html; charset=iso-8859-1">
<TITLE>Policy Violation</TITLE>
/HEAD>
<BODY>
<H1>Policy Violation</H1>
<UL>
<LI>This content is above your pay grade.<A HREF="https://acme.example.com/why?https://www.example.net">More Info</A>.
</LI>
</UL>
<HR>
<ADDRESS>Acme Networks Proxy</ADDRESS>
</BODY>
</HTML>

is this really a disadvantage doing it this way? and if yes, why?

without having the signing certificate used by the proxy installed in the certstore of the client
the "new way" have no advantages;

Attachments

application/pkcs7-signature attachment: S/MIME Cryptographic Signature

Received on Sunday, 7 August 2016 17:28:29 UTC