Re: Browser display of 403 responses bodies on CONNECT

On 17 June 2015 at 17:54, Adrien de Croy <adrien@qbik.com> wrote:
>> I believe that this is because our users have requested a secure site
>> and anything other than authenticated content provided by that site
>> would present an unparalleled opportunity for MitM phishing attacks.
>
>
> just to clarify then.
>
> It's preferable to MITM the TLS to send a block page back, than to send a
> block page back on a 403 response to the CONNECT?

That's a bit of a leap, isn't it?

What I'm suggesting is that if you type https://blah and you don't get
something that is authenticated as being from blah, then you expose
yourself to problems.

Now, if you wanted to fix this situation, I might suggest that a
custom error page might be appropriate.  That page might say that the
proxy denied the request to connect.  Showing content that the proxy
provided still seems inadvisable.

Rather than slinging mud, perhaps you could engage with browser
vendors in the usual venues:
https://bugzilla.mozilla.org/
https://code.google.com/p/chromium/issues/list
https://wpdev.uservoice.com/forums/257854-microsoft-edge-developer
https://bugs.opera.com/wizard/
https://bugreport.apple.com/
etc...

Received on Thursday, 18 June 2015 02:28:30 UTC