- From: Martin Thomson <martin.thomson@gmail.com>
- Date: Wed, 17 Jun 2015 19:27:58 -0700
- To: Adrien de Croy <adrien@qbik.com>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
On 17 June 2015 at 17:54, Adrien de Croy <adrien@qbik.com> wrote: >> I believe that this is because our users have requested a secure site >> and anything other than authenticated content provided by that site >> would present an unparalleled opportunity for MitM phishing attacks. > > > just to clarify then. > > It's preferable to MITM the TLS to send a block page back, than to send a > block page back on a 403 response to the CONNECT? That's a bit of a leap, isn't it? What I'm suggesting is that if you type https://blah and you don't get something that is authenticated as being from blah, then you expose yourself to problems. Now, if you wanted to fix this situation, I might suggest that a custom error page might be appropriate. That page might say that the proxy denied the request to connect. Showing content that the proxy provided still seems inadvisable. Rather than slinging mud, perhaps you could engage with browser vendors in the usual venues: https://bugzilla.mozilla.org/ https://code.google.com/p/chromium/issues/list https://wpdev.uservoice.com/forums/257854-microsoft-edge-developer https://bugs.opera.com/wizard/ https://bugreport.apple.com/ etc...
Received on Thursday, 18 June 2015 02:28:30 UTC