Re: Semantics of HTTPS from Stephen Farrell on 2012-08-06 (ietf-http-wg@w3.org from July to September 2012)

From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Date: Mon, 06 Aug 2012 23:12:08 +0100
To: Willy Tarreau <w@1wt.eu>
CC: Mark Nottingham <mnot@mnot.net>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Message-ID: <50204138.7090208@cs.tcd.ie>

Hi Willy,

On 08/06/2012 10:41 PM, Willy Tarreau wrote:
> Hi Stephen,
> 
> On Mon, Aug 06, 2012 at 10:33:26PM +0100, Stephen Farrell wrote:
>>> At the moment the state of affairs has created MITM proxies and we'd better
>>> get rid of them by offering a solution to the problem they try to solve.
>>
>> The tls WG was offered that option again last week and rejected it
>> again. If the httpbis WG want to standardise some kind of mitm without
>> changing TLS then that seems to re-define https to me at least.
>>
>> Even though mitm hacks exist and people pay for them, the IETF has
>> actively and repeatedly refused to standardise that behaviour.
> 
> I'm not advocating MITM, quite the opposite : I'm advocating valid
> use of proxies via opt-in to put an end to MITM.

I think that depends on how you define MITM. From the point of
view of a site, or a user forced into using this, your approach
still seems like a MITM, just a different one, but still a
re-definition of https I think.

> The end user chooses in his browser :
> 
>     Proxy Connection for HTTPS :
>         [ ] proxy may inspect contents fetched over HTTPS  (GET https://)
>             except for those sites : _______________

Does that whitelisting approach break TLS client auth and channel
binding? I guess we'd need to see a draft to know but regardless of
the fact that those are not very widely used, re-defining https
like this in a way that breaks those features seems like a bad
plan.

>         [ ] proxy may not inspect contents fetched over HTTPS  (CONNECT)

With what default? I'd bet there are many wrinkles here. What about
use of SNI in TLS to select between hosts?

Really, I think your proposal doesn't work out in the end. I also
understand why you propose it, but suspect that like many such
proposals there are many more problems than are apparent at first.

S.

> The proxy's policy then enables a number of sites to use CONNECT and
> rejects the other ones. The user is then free to opt in for content
> inspection or reject it. There's no MITM here. The MITM is what is
> currently being done at many places without the user's consent.
> 
> Willy
> 
> 
>

Received on Monday, 6 August 2012 22:12:31 UTC