Re: What will incentivize deployment of explicit proxies? from Mark Nottingham on 2013-12-10 (ietf-http-wg@w3.org from October to December 2013)

From: Mark Nottingham <mnot@mnot.net>
Date: Tue, 10 Dec 2013 13:12:51 +1100
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Cc: Adrien de Croy <adrien@qbik.com>, Roberto Peon <grmocg@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <27047F9F-5912-47B5-85E9-C3C12D9875F8@mnot.net>

On 10 Dec 2013, at 11:50 am, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote:

> 
> 
> On 12/10/2013 12:44 AM, Mark Nottingham wrote:
>> Sure. I'm thinking in terms of changes in browser behaviour (along
>> the lines that some have already explored), not changing TLS, or even
>> certs, necessarily.
> 
> But there is a problem here - as I understand it many root
> stores have no controls over the protocols with which the
> roots can be used so if you insert a new root then you will
> also have affects on non-HTTP protocols that use TLS.

Yes, that's already happening today. Such controls would indeed be nice.

<https://www.grc.com/miscfiles/HTTPS_Interception_Proxies.pdf> is a nice writeup, and lists a few products that do this at the end. There are others; e.g., <http://wiki.squid-cache.org/Features/SslBump>.

The problem is that installing a new CA is *extremely* common; try searching for "install CA certificate" and you'll see many, many results like <http://community.web.cern.ch/faq/certificate-installation-android>  <-- note that it's even happening where the Web started!

Those CAs then have unlimited power to MITM communication (whether that's their intent or not), and cannot easily be detected when doing so.

> What I've not seen is anyone who's proposing such changes
> (that do affect TLS) volunteering to do that analysis.
> I'd say its not an easy piece of work but absolutely
> necessary and it might well turn up a conclusion that
> this is a bad idea globally.

AIUI we're already there -- i.e., people think it's a bad idea, but it's happening. 

To be crystal clear -- I'm not talking about making it easier to install CAs in browsers. I'm wondering if we can *constrain* the current practice in a meaningful way, so as to limit the damage of this already-widespread practice.

We may not be able to (either because it's too hard, or because the IETF isn't the right place to do it), but it's worth talking about. One interesting discussion that's related:
  https://code.google.com/p/chromium/issues/detail?id=81623  (CLOSED WONTFIX)

What I don't want to do is spend months-to-years developing a new kind of explicit proxy in HTTP in the *hope* that it'll somehow magically supplant these devices, without some sort of evidence that it has a chance of doing so.

Cheers,

--
Mark Nottingham   http://www.mnot.net/

Received on Tuesday, 10 December 2013 02:13:33 UTC