Re: Yet another trusted proxy suggestion

On 11/30/2013 03:54 PM, Paul Hoffman wrote:
> On Fri, Nov 29, 2013 at 1:45 AM, Nicolas Mailhot <
> nicolas.mailhot@laposte.net> wrote:
> 
>>
>> So unless a bank representative states the contrary, all my technical
>> experience screams its a non-problem.
>>
> 
> +1. Stephen's response (that a bank can't currently know if there is a TLS
> proxy in HTTP/1.1) ignores what Yoav said, which is that such a bank could
> detect that by forcing client auth. Of course they won't do that, but they
> of course also won't have to because then they would be forced to not have
> internet banking.

That's not entirely logical. I agree they won't require TLS client auth.
That's nothing to do with MITM attack boxes though afaik, or do you have
some reason to think it is?

> Stephen: if you have a real regulation and legal interpretation that we can

I made no such claim.

> look at, we can look at that. "What if someone interprets a law in the way
> I want them to because I don't like TLS proxies..." is not a useful
> measure.

Correct and I'd have been wrong had I said that. Luckily I did not.

But I also wish there were some folks from web sites represented here
that had things to say. But there don't seem to be, so I picked a
non-crazy example of a real e2e confidentiality requirement that poses
a hard question for those who want to develop these proxy solutions.
The answer so far seems to me to be to deny the existence of the
problem, which is not very promising.

Secondarily, that highlights that any proxy solution that claims
to give a site a "choice" has to have a way to authenticate the
proxy to the site. Protocol-wise that might be easy. But I suspect
in practice its very hard. I don't believe I've seen that accepted
or disputed by those in favour of proxies either.

S.

Received on Saturday, 30 November 2013 16:21:36 UTC