Re: multiplexing -- don't do it from 陈智昌 on 2012-04-02 (ietf-http-wg@w3.org from April to June 2012)

From: 陈智昌 <willchan@chromium.org>
Date: Tue, 3 Apr 2012 01:15:26 +0200
To: Robert Collins <robertc@squid-cache.org>
Cc: "Adrien W. de Croy" <adrien@qbik.com>, Roberto Peon <grmocg@gmail.com>, Mike Belshe <mike@belshe.com>, Amos Jeffries <squid3@treenet.co.nz>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-ID: <CAA4WUYjdi6LhEBd_CE8GipXdKDfzd-yXwbsoXmWCxqp6R_XcjA@mail.gmail.com>

On Tue, Apr 3, 2012 at 1:04 AM, Robert Collins <robertc@squid-cache.org>wrote:

> On Tue, Apr 3, 2012 at 10:38 AM, William Chan (陈智昌)
> <willchan@chromium.org> wrote:
> > Hypothetically speaking, if HTTP/2.0 were TLS only, then either vendors
> > would have to move to explicit proxies or to SSL MITM...
>
> You say 'move to', but the reality has been for years that vendors
> *have* SSL MITM up and running. Hell, a CA was busted a month or so
> back for issuing wildcard certs (top level wildcard no less!) to
> organisations that wanted to MITM all their traffic... nevermind that
> they could then issue a cert for *any* domain which would be in
> default browsers cert list...
>
> SSL MITM isn't something we need to work hard to *avoid*, its
> something we have to deal with today.
>
> The best we can do is setup an environment where there is less or even
> no need for SSL MITM, where folk that are doing SSL MITM today can
> migrate to something a little less toxic tomorrow.
>

Not sure if you were suggesting I disagreed in any way :) I agree, which is
why we should push forward an explicit proxy solution, which is IMO far
less toxic.


>
> -Rob
>

Received on Monday, 2 April 2012 23:15:54 UTC