Re: HTTP 2.0 mandatory security vs. Amateur Radio

On Fri, Nov 15, 2013 at 08:07:20AM +0100, Nicolas Mailhot wrote:
> 
> Le Ven 15 novembre 2013 07:47, Willy Tarreau a écrit :
> 
> > The CONNECT method is used to open tunnels through proxies and all proxy
> > users who browse in HTTPS use it.
> 
> Which makes it a security nightmare, since its allows tunneling any
> protocol without control and there are products on the market that
> advertise the ability of using connect to bypass any firewall rule.

Yes for sure, just like Upgrade. But most of the MITM boxes that make
port 80 unreliable are caches, load balancers and web compressors.
They're only there to reduce internet access costs, not for security,
so that's not a problem.

However I've already heard an ISP ask me if it was possible to transparently
intercept https using haproxy because the increase in https traffic was
reducing the efficiency of their caches to a point of becoming business
critical. I said no we can't do that, but I'm quite convinced they found
a solution since then.

Willy

Received on Friday, 15 November 2013 07:20:49 UTC