Re: SSL/TLS everywhere fail

On Dec 5, 2015 8:21 AM, "Alex Rousskov" <rousskov@measurement-factory.com>
wrote:
> Unfortunately, MitM attacks on consenting participants are increasingly
> necessary today.

Isn't a big part of this debate over a disagreement about what is necessary?

> No, secure communication with forward proxies is currently not supported
> by many popular browsers. They can tunnel HTTPS through a forward HTTP
> proxy, but they cannot be configured to encrypt their connection to the
> forward proxy using TLS.

Firefox definitely supports https proxies. I think that Chrome does too.

> I have consented. I have set up an explicit proxy. The proxy plays by
> the rules. And yet nothing works! At this point, my employer is forced
> to attack my HTTPS traffic even though neither they nor me want to
> resort to those dirty tricks.

But you are not the only party that has to consent. This is a two party
conversation, and it is very clear that the other party has not consented.
(Leave aside for the moment that this is still just a technical limitation,
you could write your own browser that would work in this situation. I could
even tell you how to disable pinning...)

Received on Friday, 4 December 2015 22:46:20 UTC