Re: multiplexing -- don't do it

Don't you think there will be another layer to the corporate SSL onion once this one is peeled back? 



Banks will race to provide access that ISPs can't see.  Heck, people on this mailing list will have an extra layer of encryption to their server running at home as soon as their coporation can see all of their SSL traffic.  These will all be tunneling over 80 too...  >.< 



I don't think we'd be able to claim anything other than an ephemeral victory on this one subpoint. 



-Ray 



(further -- with a forced explicit secure proxy, won't ISPs actually be in a better position to behave badly than they are right now?) 


----- mike@belshe.com wrote: 
| 
| On Mon, Apr 2, 2012 at 3:28 PM, Adrien W. de Croy < adrien@qbik.com > wrote: 
| 



| 
| ------ Original Message ------ 
| From: "Roberto Peon" < grmocg@gmail.com > 
| 
| To: "Adrien W. de Croy" < adrien@qbik.com > 
| Cc: "Mike Belshe" < mike@belshe.com >;"Amos Jeffries" < squid3@treenet.co.nz >;" ietf-http-wg@w3.org " < ietf-http-wg@w3.org > 
| Sent: 3/04/2012 10:02:56 a.m. 
| Subject: Re: multiplexing -- don't do it 
| 


I don't trust proxies... hopefully that is apparent, but I'm asking for explicit support for them and attempting to deny support for non explicit proxies. 
I don't have a problem with proxy usage moving to explicit only.  We've been trying to get customers to move in that direction for years. 

Customers do like using interception though.  Educating them costs money.  Not providing the feature would cost us sales, until we could get commitment from every other vendor to deprecate the feature. 

if 2.0 can fix this by providing a path forward which doesn't allow it, then everyone will be in the same boat, which is fine with me. 

| 
If we got SSL interception to work with trusted proxies, it would be a huge feature to a lot of corporate sites. Not having to roll out SSL MITM is really valuable to them. 

I'm 100% sure that Chrome & Firefox would get behind a solution which enforced SSL more often and required browsers to support more features with trusted SSL to proxies.   

Mike

Received on Tuesday, 3 April 2012 11:32:21 UTC