- From: Ted Hardie <ted.ietf@gmail.com>
- Date: Fri, 4 Dec 2015 11:18:06 -0800
- To: Alex Rousskov <rousskov@measurement-factory.com>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
- Message-ID: <CA+9kkMAs56zAVCuN-F2dHORiaqgA4frqum+LcGU+2owbxNFarQ@mail.gmail.com>
On Thu, Dec 3, 2015 at 6:26 PM, Alex Rousskov < rousskov@measurement-factory.com> wrote: > On 12/03/2015 05:38 PM, Ted Hardie wrote: > > Look particularly at section 3. As you will note from that, there are > > certainly middleboxes which are within scope (configured HTTP proxies > > among them). But there are others which are not. I know of no > > interception proxy requiring a newly installed root CA which would fit > > within the current policy, but I'm willing to be informed should there > > be one. > > The prevalence of interception proxies is our other engineering failure, > but if I have deliberately installed your root CA on my phone and > clicked "I agree to be monitored by Ted" button in my favorite browser, > then you are no longer wiretapping my Google requests per RFC 2804. > > It is also utterly unnecessary if I you are agreeing to be monitored. In the case where you are agreeing to be monitored, you direct the traffic to the inspection point. This allows you to use cryptographic confirmation that you are talking to the appropriate proxy, since it can provide you such an assertion over that hop (which it cannot do the same if acting as an interception proxy). If you really have consent, deploying these root CAs destroys the authentication property of the encrypted connection, damaging the overall system, in a way that is simply not required. That is deeply sad for that class of cases, but mostly indicative that these are mostly used where consent isn't present, because the organization involved doesn't care to get it. I am not sure who the "our" is in your "our other engineering failure" and since the problem goes back a long way, there are likely participants in this working group who have never known a web without this problem. But the baseline truth is that there have always been folks who have traded their ease of configuration and lowered costs for their users privacy and individual security. Some of those run enterprise installations; some run countries. But the damage to the authentication properties of the system is the same; it's just at different scales. regards, Ted
Received on Friday, 4 December 2015 19:18:34 UTC