- From: Amos Jeffries <squid3@treenet.co.nz>
- Date: Fri, 15 Nov 2013 03:19:23 +1300
- To: ietf-http-wg@w3.org
On 14/11/2013 10:34 p.m., Adrien de Croy wrote: > > > ------ Original Message ------ > From: "William Chan (ιζΊζ)" <willchan@chromium.org> >> On Wed, Nov 13, 2013 at 2:36 PM, Adrien de Croy <adrien@qbik.com> wrote: >> >>> >>> We added MITM in WinGate mostly because Google and FB went to https. >>> Google and FB you may take a bow. >> >> FWIW, I'm happy those companies went HTTPS, and I'm sad that y'all are >> offering MITM features in your products. I suppose that if I ask you >> not to MITM traffic, you wouldn't listen, would you? :P If you feel >> that MITM is bad for the web, why are you implementing this? Is it >> simply because if you don't, then someone else will and people will >> switch from your product? > we only write the proxy software and provide the feature. The customer > decides whether to turn it on or not. > The customers have been asking for this feature for years. We held off, > but had to concede when Google and FB went to https, as the rate of > requests went up. Much of the competition had been offering it for > several years. > > So do you really think the vendor company that steadfastly refuses to > offer it will be the one left standing? There are already plenty of > vendors offering this feature. It's a competitive necessity. > >> >>> >>> Does this improve security of the web overall? IMO no. People can >>> now snaffle banking passwords with a filter plugin. >> >> Just to be clear, the MITM works because the enterprises are adding >> new SSL root certificates to the system cert store, right? I agree >> that that is terrible. I wouldn't use that computer :) I hope we >> increase awareness of this issue. > correct. You can tell if you're being intercepted if the root cert > doesn't look like who it should be. > >> >>> >>> You really want to scale this out? How will that make it any better? >> >> I believe that making communications secure by default will overall >> improve the security of the web as long as most devices don't have >> these additional SSL root certificates used by the MITM proxies. You >> are taking a cynical view on the outcome when communications become >> secure by default. I disagree. > I'm not talking about a hypothetical future. We're seeing it now. More > and more MITMs are being deployed. That's not a cynical or pessimistic > view, it's simply accepting reality. > We need some numbers to back this up. * Here is the graph of Squid user queries about intercept / MITM proxy. For bias reduction I have eliminated the Squid Project members who respond to a lot of user queries. http://markmail.org/search/?q=intercept+list%3Aorg.squid-cache.squid-users+-from%3A%22Henrik+Nordstrom%22+-from%3A%22Alex+Rousskov%22+-from%3A%22Amos+Jeffries%22 Around about May 2012 an upward spike of more than double the normal request rate at which the volume has so for over a year now remained steady relative to the cyclic nature of queries. (https://blog.mozilla.org/futurereleases/2012/05/09/rolling-out-https-google-search/) * SSL MITM by comparison was under discussion for several years before the sudden spike. * Discussion of HTTPS shows a flat graphs, but the message topics switch from primarily discussion of HTTPS in reverse-proxy installations, towards interception of HTTPS. * Discussion of transparent proxy shows a flat graph. There is an odd reduction in the last few years but thet is matched by when we split the traffic mode config options into intercept/sslbump/accel and started down-playing teh term "transparent proxy" for MITM discussion. Amos
Received on Thursday, 14 November 2013 14:19:55 UTC