Re: Semantics of HTTPS

On 06/08/2012, at 3:43 PM, Willy Tarreau <> wrote:

> On Mon, Aug 06, 2012 at 03:32:01PM -0500, Mark Nottingham wrote:
>> <> is slated to define the semantics of HTTPS urls. 
>> We currently talk about HTTPS' impact on caches and identity there, but we don't mention one other major effect on HTTP -- the use of CONNECT to proxies. 
>> I think we need to define HTTPS as having a semantic of *end-to-end* use of SSL/TLS, and therefore CONNECT to proxies. 
>> Make sense?
> I'd rather have it be the equivalent of the "GET https://" we've been talking
> about, with something different for use with CONNECT. CONNECT is used to
> establish a tunnel, and anything passes through (I'm using it on a daily
> basis to SSH home).
> Many people involved in proxies would like CONNECT to disappear or at least
> to work based on fine whitelists (eg: banks, paypal, ...) and use GET https://
> instead to provide the ability to use safe connections between the proxy and
> the internet, with the ability to block malware.
> Right now this is already performed with CONNECT using awful tricks that
> totally break HTTP and even prevent software such as Firefox from being
> able to upgrade itself, this is a total failure.

Right. That's a big change from the semantics of HTTPS today, though; right now, when I see that, I know that I have end-to-end TLS. If we change that, it's going to require a LOT of coordination with W3C, browsers, privacy people, etc. to make sure expectations are managed, communicated, etc.

I think the question is here is whether end-to-end security is a fundamental part of the semantics of HTTPS, or something that is just a de facto now, and open to being changed later. 

Personally, I think it is; while I can see the use cases you're taking about, having HTTPS URIs become inspectable by proxies is a surprising outcome from a user perspective. 

Perhaps we could say something like "HTTP implies end-to-end security, unless the user has explicitly opted out of it (i.e., in a configuration dialog). When TLS is providing end-to-end security, the CONNECT method is used with proxies."

Just thinking out loud there...

Mark Nottingham

Received on Monday, 6 August 2012 21:06:34 UTC