W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: HTTP 2.0 mandatory security vs. Amateur Radio

From: Willy Tarreau <w@1wt.eu>
Date: Fri, 15 Nov 2013 08:20:19 +0100
To: Nicolas Mailhot <nicolas.mailhot@laposte.net>
Cc: Ryan Hamilton <rch@google.com>, David Morris <dwm@xpasc.com>, Bruce Perens <bruce@perens.com>, Roberto Peon <grmocg@gmail.com>, James Snell <jasnell@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>, Julian Reschke <julian.reschke@gmx.de>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
Message-ID: <20131115072019.GD11628@1wt.eu>
On Fri, Nov 15, 2013 at 08:07:20AM +0100, Nicolas Mailhot wrote:
> Le Ven 15 novembre 2013 07:47, Willy Tarreau a crit :
> > The CONNECT method is used to open tunnels through proxies and all proxy
> > users who browse in HTTPS use it.
> Which makes it a security nightmare, since its allows tunneling any
> protocol without control and there are products on the market that
> advertise the ability of using connect to bypass any firewall rule.

Yes for sure, just like Upgrade. But most of the MITM boxes that make
port 80 unreliable are caches, load balancers and web compressors.
They're only there to reduce internet access costs, not for security,
so that's not a problem.

However I've already heard an ISP ask me if it was possible to transparently
intercept https using haproxy because the increase in https traffic was
reducing the efficiency of their caches to a point of becoming business
critical. I said no we can't do that, but I'm quite convinced they found
a solution since then.

Received on Friday, 15 November 2013 07:20:49 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:19 UTC