Re: Moving forward on improving HTTP's security

On 14/11/2013 10:34 p.m., Adrien de Croy wrote:
> ------ Original Message ------
> From: "William Chan (ι™ˆζ™Ίζ˜Œ)" <>
>> On Wed, Nov 13, 2013 at 2:36 PM, Adrien de Croy <> wrote:
>>> We added MITM in WinGate mostly because Google and FB went to https. 
>>> Google and FB you may take a bow.
>> FWIW, I'm happy those companies went HTTPS, and I'm sad that y'all are
>> offering MITM features in your products. I suppose that if I ask you
>> not to MITM traffic, you wouldn't listen, would you? :P If you feel
>> that MITM is bad for the web, why are you implementing this? Is it
>> simply because if you don't, then someone else will and people will
>> switch from your product?
> we only write the proxy software and provide the feature.  The customer
> decides whether to turn it on or not.
> The customers have been asking for this feature for years. We held off,
> but had to concede when Google and FB went to https, as the rate of
> requests went up.  Much of the competition had been offering it for
> several years.
> So do you really think the vendor company that steadfastly refuses to
> offer it will be the one left standing?  There are already plenty of
> vendors offering this feature.  It's a competitive necessity.
>>> Does this improve security of the web overall?  IMO no.  People can
>>> now snaffle banking passwords with a filter plugin.
>> Just to be clear, the MITM works because the enterprises are adding
>> new SSL root certificates to the system cert store, right? I agree
>> that that is terrible. I wouldn't use that computer :) I hope we
>> increase awareness of this issue.
> correct.  You can tell if you're being intercepted if the root cert
> doesn't look like who it should be.
>>> You really want to scale this out?  How will that make it any better?
>> I believe that making communications secure by default will overall
>> improve the security of the web as long as most devices don't have
>> these additional SSL root certificates used by the MITM proxies. You
>> are taking a cynical view on the outcome when communications become
>> secure by default. I disagree.
> I'm not talking about a hypothetical future.  We're seeing it now.  More
> and more MITMs are being deployed.  That's not a cynical or pessimistic
> view, it's simply accepting reality.

We need some numbers to back this up.

* Here is the graph of Squid user queries about intercept / MITM proxy.
For bias reduction I have eliminated the Squid Project members who
respond to a lot of user queries.

Around about May 2012 an upward spike of more than double the normal
request rate at which the volume has so for over a year now remained
steady relative to the cyclic nature of queries.

* SSL MITM by comparison was under discussion for several years before
the sudden spike.

* Discussion of HTTPS shows a flat graphs, but the message topics switch
from primarily discussion of HTTPS in reverse-proxy installations,
towards interception of HTTPS.

* Discussion of transparent proxy shows a flat graph. There is an odd
reduction in the last few years but thet is matched by when we split the
traffic mode config options into intercept/sslbump/accel and started
down-playing teh term "transparent proxy" for MITM discussion.


Received on Thursday, 14 November 2013 14:19:55 UTC