Re: Hello from Mozilla

From: Henrik Nordstrom <henrik_at_henriknordstrom.net>
Date: Thu, 16 Jul 2009 09:20:56 +0200

ons 2009-07-15 klockan 07:34 +0000 skrev Ian Hickson:
> On Wed, 15 Jul 2009, Mark Nottingham wrote:
> >
> > Upgrade is hop-by-hop, so it's pretty limiting.
>
> Do man-in-the-middle proxies count as a hop for the purposes of HTTP?

When used as a surrogate it does.

The "transparently interceping" case is outside of any specifications.

> As
> far as I can tell from the HTTP spec, the client is supposed to know
> whether it is speaking to a proxy or not, so man-in-the-middle proxies
> don't affect the hop-by-hop semantics... but it's not entirely clear.

Yes, just as IP addresses are supposed to be unique and not shared or
modified in transit (NAT)...

> Sure, but that's why we have the TLS-over-port-443 option. In the cases
> where there is uncooperative network infrastructure, the client can just
> switch to that, and then there's no way the connection can be affected.

You think....

There is a funny technique implemented at many places today which
unwinds TLS on port 443 and proxies the HTTP traffic which is supposed
to be within. Used for policy enforcement and inspection in networks
where end-to-end encrypted communication is forbidden by policy.

> Not doing so is unacceptably insecure for this use case, IMHO. We can't
> run the risk of Web pages hitting SMTP servers and sending spam, or poking
> at intranet servers, or who knows what else.

You still haven¨t explained how running a proper HTTP Upgrade sequence
may risk this. I just don't see it.

Regards
Henrik
Received on Thu Jul 16 2009 - 07:21:04 MDT

This archive was generated by hypermail 2.2.0 : Thu Jul 16 2009 - 12:00:05 MDT