- From: Stephane Bortzmeyer <bortzmeyer@nic.fr>
- Date: Mon, 20 Nov 2017 16:33:39 +0100
- To: Ted Lemon <mellon@fugue.com>
- Cc: Stephane Bortzmeyer <bortzmeyer@nic.fr>, ietf-http-wg@w3.org, hrpc@irtf.org
On Mon, Nov 20, 2017 at 06:57:17AM -0500, Ted Lemon <mellon@fugue.com> wrote a message of 81 lines which said: > I stopped pushing this after David Oran pointed out that there's no > way to authenticate who is making the claim about why the content > was blocked. I think this is a bit of a flaw in the 451 code idea > as well—if it's not signed by whoever is claiming authority to do > the block, it can be used to tell the end user something that is not > true and can be turned into an attack on whomever the blocking is > attributed to. It seems to me there are three cases: 1) plain HTTP (no TLS). All bets are off, anything can be modified, status code or not, and it is not 451-specific. 2) HTTPS to some place you trust, either the origin server (but they won't tell you the'yre serving malware) or a proxy you're configured to trust (I know most of these proxies are crap <https://jhalderm.com/pub/papers/interception-ndss17.pdf> <http://users.encs.concordia.ca/~mmannan/publications/ssl-interception-ndss2016.pdf> but it's a different issue). 3) HTTPS intercepted by a proxy you do not trust. Here, it is a man-in-the-middle attack and it should be detected by HTTPS. It seems to me that a status code for "intercepted and blocked for your safety" could be useful for 2) and probably for 1).
Received on Monday, 20 November 2017 15:34:09 UTC