Re: Semantics of HTTPS from Mark Nottingham on 2012-08-06 (ietf-http-wg@w3.org from July to September 2012)

From: Mark Nottingham <mnot@mnot.net>
Date: Mon, 6 Aug 2012 16:06:10 -0500
To: Willy Tarreau <w@1wt.eu>
Cc: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Message-Id: <8CFB0582-52E8-4ACF-BD6E-24F773C4F5ED@mnot.net>

On 06/08/2012, at 3:43 PM, Willy Tarreau <w@1wt.eu> wrote:

> On Mon, Aug 06, 2012 at 03:32:01PM -0500, Mark Nottingham wrote:
>> <https://svn.tools.ietf.org/svn/wg/httpbis/draft-ietf-httpbis/latest/p1-messaging.html#https.uri> is slated to define the semantics of HTTPS urls. 
>> 
>> We currently talk about HTTPS' impact on caches and identity there, but we don't mention one other major effect on HTTP -- the use of CONNECT to proxies. 
>> 
>> I think we need to define HTTPS as having a semantic of *end-to-end* use of SSL/TLS, and therefore CONNECT to proxies. 
>> 
>> Make sense?
> 
> I'd rather have it be the equivalent of the "GET https://" we've been talking
> about, with something different for use with CONNECT. CONNECT is used to
> establish a tunnel, and anything passes through (I'm using it on a daily
> basis to SSH home).
> 
> Many people involved in proxies would like CONNECT to disappear or at least
> to work based on fine whitelists (eg: banks, paypal, ...) and use GET https://
> instead to provide the ability to use safe connections between the proxy and
> the internet, with the ability to block malware.
> 
> Right now this is already performed with CONNECT using awful tricks that
> totally break HTTP and even prevent software such as Firefox from being
> able to upgrade itself, this is a total failure.

Right. That's a big change from the semantics of HTTPS today, though; right now, when I see that, I know that I have end-to-end TLS. If we change that, it's going to require a LOT of coordination with W3C, browsers, privacy people, etc. to make sure expectations are managed, communicated, etc.

I think the question is here is whether end-to-end security is a fundamental part of the semantics of HTTPS, or something that is just a de facto now, and open to being changed later. 

Personally, I think it is; while I can see the use cases you're taking about, having HTTPS URIs become inspectable by proxies is a surprising outcome from a user perspective. 

Perhaps we could say something like "HTTP implies end-to-end security, unless the user has explicitly opted out of it (i.e., in a configuration dialog). When TLS is providing end-to-end security, the CONNECT method is used with proxies."

Just thinking out loud there...

--
Mark Nottingham
http://www.mnot.net/

Received on Monday, 6 August 2012 21:06:34 UTC