Re: multiplexing -- don't do it

On Tue, Apr 3, 2012 at 1:04 AM, Robert Collins <robertc@squid-cache.org>wrote:

> On Tue, Apr 3, 2012 at 10:38 AM, William Chan (陈智昌)
> <willchan@chromium.org> wrote:
> > Hypothetically speaking, if HTTP/2.0 were TLS only, then either vendors
> > would have to move to explicit proxies or to SSL MITM...
>
> You say 'move to', but the reality has been for years that vendors
> *have* SSL MITM up and running. Hell, a CA was busted a month or so
> back for issuing wildcard certs (top level wildcard no less!) to
> organisations that wanted to MITM all their traffic... nevermind that
> they could then issue a cert for *any* domain which would be in
> default browsers cert list...
>
> SSL MITM isn't something we need to work hard to *avoid*, its
> something we have to deal with today.
>
> The best we can do is setup an environment where there is less or even
> no need for SSL MITM, where folk that are doing SSL MITM today can
> migrate to something a little less toxic tomorrow.
>

Not sure if you were suggesting I disagreed in any way :) I agree, which is
why we should push forward an explicit proxy solution, which is IMO far
less toxic.


>
> -Rob
>

Received on Monday, 2 April 2012 23:15:54 UTC