- From: Yoav Nir <synp71@live.com>
- Date: Sat, 7 Dec 2013 00:42:56 +0200
- To: "William Chan (陈智昌)" <willchan@chromium.org>, Martin Thomson <martin.thomson@gmail.com>
- CC: Werner Baumann <werner.baumann@onlinehome.de>, HTTP Working Group <ietf-http-wg@w3.org>
- Message-ID: <BLU0-SMTP2216EA7662DA1607C5A756B1D60@phx.gbl>
"Don't let anybody kid you. It's all personal, every bit of business."
In this case, I disagree with Martin. This is not a problem that we can
avoid externalizing. Deciding whether a particular proxy is acceptable
to the user of a browser requires information that we don't have. We
don't have it at the IETF, and we don't have it where browsers are
developed.
A browser can learn of the existence of a TLS proxy. This information
may come from an HTTP code, a TLS alert, DHCP, DNS, or whatever other
discovery mechanism we can think of. Whether this proxy is acceptable
depends on so many factors:
* Who deployed this proxy? (can probably be deduced from name in its
certificate, but only sort-of) Maybe your workplace is acceptable,
but the ISP or some other workplace is not.
* What is it doing with the cleartext traffic? Caching? Filtering?
Recording? Looking for terrorism/criminal activity? Assuring a
non-hostile workplace? There are no technical ways to know these
things. You'll have to learn them by social means - ask the IT
person, ask your boss, require by law all installed proxies to
disclose what they are doing. None of this can be done by Will or
his security team.
* Does the product used for the proxy have a recording function that
can be used in case of a legal mandate? If so, what procedural
mechanism protects the users from someone at IT using it to spy on them?
* Does the product used for the proxy have a backdoor for
interception? Will and his security team don't know. The boss and
the IT person may not know that either.
It's a complex decision affected by many objective factors and some
subjective attributes of the user. This is not a decision we can make on
behalf of the user. This is very different from reporting on a bad
certificate.
Hopefully, this will be a rare decision that users don't have to face
every day.
Yoav
On 7/12/13 12:12 AM, William Chan (陈智昌) wrote:
> Hey hey, there's no reason to make this personal :) I never said I
> have no responsibility here. I just tried to make a funny quip that
> the...more passionate factions of the larger Chromium project will be
> very...passionate in their response to certain ideas. Is there a
> reason you wish to make this about me all of a sudden?
>
> Let me be clear, I in general think it's terrible to burden the user
> with decisions which they are largely unable to reason about. And I
> think it's wrong to expect them to have the knowledge to reason about
> it. And I disagree with the argument that browser vendors must provide
> all possible configuration options so users can do whatever they want.
>
> On Fri, Dec 6, 2013 at 1:27 PM, Martin Thomson <martin.thomson@gmail.com> wrote:
>> On 6 December 2013 12:26, Werner Baumann <werner.baumann@onlinehome.de> wrote:
>>> [...] the dogma that users are stupid.
>> Not stupid, never stupid. It's respect.
>>
>> UI surface area imposes costs upon users. We cannot - should not -
>> externalize our problems by shunting them on users.
>>
>> This isn't purely a security problem either; there are security
>> aspects to this, but they aren't the only concerns. I expect better
>> of Will than to try to shift focus onto some faceless "security team",
>> he owns some responsibility here too.
>>
Attachments
- application/pkcs7-signature attachment: S/MIME Cryptographic Signature
Received on Friday, 6 December 2013 22:43:21 UTC