IETF Logo Mail Archive

Re: MITM and proxy messages [was: Call for Adoption: draft-song-dns-wireformat-http]

"Walter H." <Walter.H@mathemainzel.info> Sun, 07 August 2016 17:32 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E41D712D1CA for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 7 Aug 2016 10:32:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.267
X-Spam-Level:
X-Spam-Status: No, score=-8.267 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.247, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mathemainzel.info
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Uz4zTNR1VW5E for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 7 Aug 2016 10:32:28 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A2D9912B006 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Sun, 7 Aug 2016 10:32:28 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1bWRsM-0005Nu-ME for ietf-http-wg-dist@listhub.w3.org; Sun, 07 Aug 2016 17:28:38 +0000
Resent-Date: Sun, 07 Aug 2016 17:28:38 +0000
Resent-Message-Id: <E1bWRsM-0005Nu-ME@frink.w3.org>
Received: from bart.w3.org ([193.51.208.80]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <Walter.H@mathemainzel.info>) id 1bWRsD-0005MN-Ce for ietf-http-wg@listhub.w3.org; Sun, 07 Aug 2016 17:28:29 +0000
Received: from mx07lb.world4you.com ([81.19.149.117]) by bart.w3.org with esmtps (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from <Walter.H@mathemainzel.info>) id 1bWRs5-0008Du-R0 for ietf-http-wg@w3.org; Sun, 07 Aug 2016 17:28:22 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=mathemainzel.info; s=dkim11; h=Content-Type:In-Reply-To:References:Subject:To:MIME-Version:From:Date:Message-ID; bh=2H8iE1dQgNJvA7dQDM1gBMN3K0DGb8NTfm99de4C2vU=; b=i4uAhvd3y+fZgNq/hwNrweAo0w8O7bcrw5PmKmudTDvYlG7cmUtD8kG25f01+ix06cxFkMPwbTRT7KBj/PeDCFHiQ0TuXw087buivC1bKeQcRH3r2sbKzIIHeaA2olHcjRln39bFMTb8vX9XmIN31D88Y57Jo8V+NnUaTOQEv9E=;
Received: from [86.56.159.41] (helo=home.mail) by mx07lb.world4you.com with esmtpsa (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.84_2) (envelope-from <Walter.H@mathemainzel.info>) id 1bWRpD-0006uJ-I0 for ietf-http-wg@w3.org; Sun, 07 Aug 2016 19:25:23 +0200
Message-ID: <57A76F02.4020708@mathemainzel.info>
Date: Sun, 07 Aug 2016 19:25:22 +0200
From: "Walter H." <Walter.H@mathemainzel.info>
Organization: Home
User-Agent: Mozilla/5.0 (UNIX; U; Cray X-MP/48; en-US; rv:2.70) Gecko/20110929 Communicator/7.20
MIME-Version: 1.0
To: ietf-http-wg@w3.org
References: <emf4b03d32-a847-4bb3-bfef-4d866b6dba9c@bodybag> <704A6BA4-E2EE-4458-AABB-21E953D1A207@laposte.net> <1A071CC0-3A1E-4E53-B1D0-DBE37FA53A6B@mnot.net>
In-Reply-To: <1A071CC0-3A1E-4E53-B1D0-DBE37FA53A6B@mnot.net>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="------------ms040203040309000709080902"
X-SA-Do-Not-Run: Yes
X-AV-Do-Run: Yes
X-SA-Exim-Connect-IP: 86.56.159.41
X-SA-Exim-Mail-From: Walter.H@mathemainzel.info
X-SA-Exim-Scanned: No (on mx07lb.world4you.com); SAEximRunCond expanded to false
Received-SPF: pass client-ip=81.19.149.117; envelope-from=Walter.H@mathemainzel.info; helo=mx07lb.world4you.com
X-W3C-Hub-Spam-Status: No, score=-0.2
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, W3C_NW=0.5
X-W3C-Scan-Sig: bart.w3.org 1bWRs5-0008Du-R0 0ed625f0a67f59e86a91369188bf20c2
X-Original-To: ietf-http-wg@w3.org
Subject: Re: MITM and proxy messages [was: Call for Adoption: draft-song-dns-wireformat-http]
Archived-At: <http://www.w3.org/mid/57A76F02.4020708@mathemainzel.info>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/32205
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On 06.08.2016 02:25, Mark Nottingham wrote:
> Would this help?
>
> https://mnot.github.io/I-D/proxy-explanation/
>
> Keep in mind that only helps for configured proxies.
>
configured proxies are not the bug; why not just simpy use plain HTML?

your sample chould then just be this simple:

HTTP/1.1 403 Forbidden
Content-Type: text/html
Cache-Control: no-cache

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML>
<HEAD>
<META  HTTP-EQUIV="Content-Type"CONTENT="text/html; charset=iso-8859-1">
<TITLE>Policy Violation</TITLE>
/HEAD>
<BODY>
<H1>Policy Violation</H1>
<UL>
<LI>This content is above your pay grade.<A HREF="https://acme.example.com/why?https://www.example.net">More Info</A>.
</LI>
</UL>
<HR>
<ADDRESS>Acme Networks Proxy</ADDRESS>
</BODY>
</HTML>

is this really a disadvantage doing it this way? and if yes, why?

without having the signing certificate used by the proxy installed in the certstore of the client
the "new way" have no advantages;

v2.23.0 | Report a Bug | By Email