On Dec 5, 2015 8:21 AM, "Alex Rousskov" <rousskov@measurement-factory.com> wrote: > Unfortunately, MitM attacks on consenting participants are increasingly > necessary today. Isn't a big part of this debate over a disagreement about what is necessary? > No, secure communication with forward proxies is currently not supported > by many popular browsers. They can tunnel HTTPS through a forward HTTP > proxy, but they cannot be configured to encrypt their connection to the > forward proxy using TLS. Firefox definitely supports https proxies. I think that Chrome does too. > I have consented. I have set up an explicit proxy. The proxy plays by > the rules. And yet nothing works! At this point, my employer is forced > to attack my HTTPS traffic even though neither they nor me want to > resort to those dirty tricks. But you are not the only party that has to consent. This is a two party conversation, and it is very clear that the other party has not consented. (Leave aside for the moment that this is still just a technical limitation, you could write your own browser that would work in this situation. I could even tell you how to disable pinning...)
Received on Friday, 4 December 2015 22:46:20 UTC