- From: Kari hurtta <hurtta-ietf@elmme-mailer.org>
- Date: Sun, 7 Aug 2016 22:07:44 +0300 (EEST)
- To: "Walter H." <Walter.H@mathemainzel.info>
- CC: Kari hurtta <hurtta-ietf@elmme-mailer.org>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Walter H. <Walter.H@mathemainzel.info>: (Sun Aug 7 21:54:22 2016) [ Charset ISO-8859-1 converted... ] > On 07.08.2016 19:50, Kari hurtta wrote: >> https://lists.w3.org/Archives/Public/ietf-http-wg/2016JulSep/0390.html >> >>> configured proxies are not the bug; why not just simpy use plain HTML? >>> >>> your sample chould then just be this simple: >>> >>> HTTP/1.1 403 Forbidden >>> Content-Type: text/html >>> Cache-Control: no-cache >>> >>> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> >>> <HTML> >> Major browsers do not show this when they get >> that on response of CONNECT -request. > which in fact is caused by something different - my MITM proxy generates > errors that are shown by my browser; > and these errors are simple HTML > > a MITM proxy uses a certificate for signing sites ... So that is on TLS which is tunneled via CONNECT. > e.g. the proxy uses a certificate called Proxy-CA, then for every site > you want to go to there will be a created a SSL certificate which is > signed by Proxy-CA; > if the Proxy-CA was signed by a CA that is a built in token in the > certstore of your browser or you have installed the Proxy-CA certificate > in the certstore yourself, then your browser will show this simple HTML > error page the proxy is sending; > Yes, content was https://lists.w3.org/Archives/Public/ietf-http-wg/2016JulSep/0367.html | In our customer base, the biggest driver to deploy MitM is the refusal | of browsers to display block pages from denied CONNECT requests. https://mnot.github.io/I-D/proxy-explanation/ does not require MITM. That can be show when CONNECT fails and tunneled TLS is not established. / Kari Hurtta
Received on Sunday, 7 August 2016 19:10:58 UTC