Re: report on EV and SSL MITM proxying from Henry Story on 2011-03-08 (public-xg-webid@w3.org from March 2011)

From: Henry Story <henry.story@bblfish.net>
Date: Tue, 8 Mar 2011 16:09:25 +0100
To: peter williams <home_pw@msn.com>
Cc: <public-xg-webid@w3.org>
Message-Id: <1DBC02A7-3A9E-4A49-BA8E-DF04373C5A8B@bblfish.net>

On 8 Mar 2011, at 16:02, peter williams wrote:

> I think we are about 60% understanding https.

You said that in the previous mail where I answered your points one by one.

>  
> We are understanding now that not only can the outgoing corporate firewall be an attacker, so can any reverse proxy on the path. There may be n of them. Each one is semantically-attacking the end-end user model of https, just as each one has the  poisoning document caches. (This is the security way of looking at the web architecture J )

It can't be an attacker without putting a certificate on your machine, which it can only do if the machine is owned by the same organisation as the one that owns the firewall.

Can you answer this point, without a huge song and dance?

Henry

Received on Tuesday, 8 March 2011 15:10:02 UTC