Re: MITM and proxy messages [was: Call for Adoption: draft-song-dns-wireformat-http]
Kari hurtta <hurtta-ietf@elmme-mailer.org> Sun, 07 August 2016 19:15 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 57E0812D0B5 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 7 Aug 2016 12:15:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.168
X-Spam-Level:
X-Spam-Status: No, score=-8.168 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.247, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6N5rVjPxluey for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 7 Aug 2016 12:15:02 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0B63012B02B for <httpbisa-archive-bis2Juki@lists.ietf.org>; Sun, 7 Aug 2016 12:15:02 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1bWTTR-0007x6-Ji for ietf-http-wg-dist@listhub.w3.org; Sun, 07 Aug 2016 19:11:01 +0000
Resent-Date: Sun, 07 Aug 2016 19:11:01 +0000
Resent-Message-Id: <E1bWTTR-0007x6-Ji@frink.w3.org>
Received: from bart.w3.org ([193.51.208.80]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <hurtta@siilo.fmi.fi>) id 1bWTTN-0007w4-Vj for ietf-http-wg@listhub.w3.org; Sun, 07 Aug 2016 19:10:58 +0000
Received: from smtpvgate.fmi.fi ([193.166.223.36]) by bart.w3.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.80) (envelope-from <hurtta@siilo.fmi.fi>) id 1bWTTG-0002FN-GZ for ietf-http-wg@w3.org; Sun, 07 Aug 2016 19:10:51 +0000
Received: from virkku.fmi.fi (virkku.fmi.fi [193.166.211.54]) (envelope-from hurtta@siilo.fmi.fi) by smtpVgate.fmi.fi (8.13.8/8.13.8/smtpgate-20160114/smtpVgate) with ESMTP id u77J7ia8020886 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Sun, 7 Aug 2016 22:07:45 +0300
Received: from shell.siilo.fmi.fi by virkku.fmi.fi with ESMTP id u77J7iK1022097 ; Sun, 7 Aug 2016 22:07:44 +0300
Received: from shell.siilo.fmi.fi ([127.0.0.1]) by shell.siilo.fmi.fi with ESMTP id u77J7i00006531 ; Sun, 7 Aug 2016 22:07:44 +0300
Received: by shell.siilo.fmi.fi id u77J7iuD006530; Sun, 7 Aug 2016 22:07:44 +0300
Message-Id: <201608071907.u77J7iuD006530@shell.siilo.fmi.fi>
In-Reply-To: <57A783DE.2050304@mathemainzel.info>
References: <57A76F02.4020708@mathemainzel.info> <20160807175029.8D8B213E9B@welho-filter4.welho.com> <57A783DE.2050304@mathemainzel.info>
To: "Walter H." <Walter.H@mathemainzel.info>
Date: Sun, 07 Aug 2016 22:07:44 +0300
Sender: hurtta@siilo.fmi.fi
From: Kari hurtta <hurtta-ietf@elmme-mailer.org>
CC: Kari hurtta <hurtta-ietf@elmme-mailer.org>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
X-Mailer: ELM [version ME+ 2.5 PLalpha41]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
X-Filter: smtpVgate.fmi.fi: 3 received headers rewritten with id 20160807/03100/01
X-Filter: smtpVgate.fmi.fi: ID 3100/01, 1 parts scanned for known viruses
X-Filter: virkku.fmi.fi: ID 1505/01, 1 parts scanned for known viruses
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-3.0 (smtpVgate.fmi.fi [193.166.223.36]); Sun, 07 Aug 2016 22:07:45 +0300 (EEST)
Received-SPF: none client-ip=193.166.223.36; envelope-from=hurtta@siilo.fmi.fi; helo=smtpVgate.fmi.fi
X-W3C-Hub-Spam-Status: No, score=-5.6
X-W3C-Hub-Spam-Report: AWL=-1.284, BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.432, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: bart.w3.org 1bWTTG-0002FN-GZ 343e8af18bb17c063aa010edb8e7a8bf
X-Original-To: ietf-http-wg@w3.org
Subject: Re: MITM and proxy messages [was: Call for Adoption: draft-song-dns-wireformat-http]
Archived-At: <http://www.w3.org/mid/201608071907.u77J7iuD006530@shell.siilo.fmi.fi>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/32211
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Walter H. <Walter.H@mathemainzel.info>: (Sun Aug 7 21:54:22 2016) [ Charset ISO-8859-1 converted... ] > On 07.08.2016 19:50, Kari hurtta wrote: >> https://lists.w3.org/Archives/Public/ietf-http-wg/2016JulSep/0390.html >> >>> configured proxies are not the bug; why not just simpy use plain HTML? >>> >>> your sample chould then just be this simple: >>> >>> HTTP/1.1 403 Forbidden >>> Content-Type: text/html >>> Cache-Control: no-cache >>> >>> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> >>> <HTML> >> Major browsers do not show this when they get >> that on response of CONNECT -request. > which in fact is caused by something different - my MITM proxy generates > errors that are shown by my browser; > and these errors are simple HTML > > a MITM proxy uses a certificate for signing sites ... So that is on TLS which is tunneled via CONNECT. > e.g. the proxy uses a certificate called Proxy-CA, then for every site > you want to go to there will be a created a SSL certificate which is > signed by Proxy-CA; > if the Proxy-CA was signed by a CA that is a built in token in the > certstore of your browser or you have installed the Proxy-CA certificate > in the certstore yourself, then your browser will show this simple HTML > error page the proxy is sending; > Yes, content was https://lists.w3.org/Archives/Public/ietf-http-wg/2016JulSep/0367.html | In our customer base, the biggest driver to deploy MitM is the refusal | of browsers to display block pages from denied CONNECT requests. https://mnot.github.io/I-D/proxy-explanation/ does not require MITM. That can be show when CONNECT fails and tunneled TLS is not established. / Kari Hurtta
- Re: Call for Adoption: draft-song-dns-wireformat-… Mark Nottingham
- Re: Call for Adoption: draft-song-dns-wireformat-… Tim Wicinski
- Re: Call for Adoption: draft-song-dns-wireformat-… Tim Wicinski
- Re: MITM and proxy messages [was: Call for Adopti… Patrick McManus
- Re: MITM and proxy messages [was: Call for Adopti… Adrien de Croy
- Re: MITM and proxy messages [was: Call for Adopti… Martin Thomson
- RE: Fwd: Call for Adoption: draft-song-dns-wirefo… Mike Bishop
- Re: MITM and proxy messages [was: Call for Adopti… Amos Jeffries
- Re: MITM and proxy messages [was: Call for Adopti… Walter H.
- Re: MITM and proxy messages [was: Call for Adopti… Amos Jeffries
- Re: MITM and proxy messages [was: Call for Adopti… Poul-Henning Kamp
- Re: MITM and proxy messages [was: Call for Adopti… nicolas.mailhot
- Re: MITM and proxy messages [was: Call for Adopti… nicolas.mailhot
- Re: MITM and proxy messages [was: Call for Adopti… Martin Thomson
- Re: MITM and proxy messages [was: Call for Adopti… Adrien de Croy
- Re: MITM and proxy messages [was: Call for Adopti… Martin Thomson
- Re: MITM and proxy messages [was: Call for Adopti… Martin Thomson
- Re: MITM and proxy messages [was: Call for Adopti… Adrien de Croy
- Re: MITM and proxy messages [was: Call for Adopti… Kari hurtta
- Re: MITM and proxy messages [was: Call for Adopti… Walter H.
- Re: MITM and proxy messages [was: Call for Adopti… Kari hurtta
- Re: MITM and proxy messages [was: Call for Adopti… Walter H.
- Re: MITM and proxy messages [was: Call for Adopti… Walter H.
- Re: MITM and proxy messages [was: Call for Adopti… Ilari Liusvaara
- Re: MITM and proxy messages [was: Call for Adopti… Kari hurtta
- Re: MITM and proxy messages [was: Call for Adopti… Amos Jeffries
- Re: MITM and proxy messages [was: Call for Adopti… Walter H.
- Re: MITM and proxy messages [was: Call for Adopti… nicolas.mailhot
- Re: MITM and proxy messages [was: Call for Adopti… Adrien de Croy
- MITM and proxy messages [was: Call for Adoption: … Mark Nottingham
- Re: Fwd: Call for Adoption: draft-song-dns-wirefo… Nicolas Mailhot
- Re: Fwd: Call for Adoption: draft-song-dns-wirefo… Adrien de Croy
- Re: Call for Adoption: draft-song-dns-wireformat-… Patrick McManus
- Re: Fwd: Call for Adoption: draft-song-dns-wirefo… Poul-Henning Kamp
- Re: Fwd: Call for Adoption: draft-song-dns-wirefo… Patrick McManus
- Re: Fwd: Call for Adoption: draft-song-dns-wirefo… Poul-Henning Kamp
- Re: Call for Adoption: draft-song-dns-wireformat-… Mark Nottingham
- Re: Call for Adoption: draft-song-dns-wireformat-… Martin Thomson
- Re: Call for Adoption: draft-song-dns-wireformat-… tjw ietf
- Re: Call for Adoption: draft-song-dns-wireformat-… Martin Thomson
- Fwd: Call for Adoption: draft-song-dns-wireformat… tjw ietf