- From: Willy Tarreau <w@1wt.eu>
- Date: Thu, 18 Jun 2015 06:22:06 +0200
- To: Martin Thomson <martin.thomson@gmail.com>
- Cc: Adrien de Croy <adrien@qbik.com>, HTTP Working Group <ietf-http-wg@w3.org>
On Wed, Jun 17, 2015 at 04:57:42PM -0700, Martin Thomson wrote: > On 17 June 2015 at 13:47, Adrien de Croy <adrien@qbik.com> wrote: > > we're seeing nowadays many browsers don't display the content of a 403 > > denial response to a CONNECT request, instead displaying some generic > > home-baked browser warning about being unable to make a connection. > > I believe that this is because our users have requested a secure site > and anything other than authenticated content provided by that site > would present an unparalleled opportunity for MitM phishing attacks. Well, don't forget that there's nothing like a "secure site" at this phase. The connection to the proxy is made in cleartext and the browser sends proxy credentials (user:password) in clear over this connection. What this means is that the connection *is* considered locally secure, at least safe enough so that we don't care about the risks of sniffing. So we should care even less about the risks of MITM! Willy
Received on Thursday, 18 June 2015 04:22:41 UTC