Re: MITM and proxy messages [was: Call for Adoption: draft-song-dns-wireformat-http]
"Adrien de Croy" <adrien@qbik.com> Sat, 06 August 2016 21:53 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 055EB12D526 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sat, 6 Aug 2016 14:53:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.168
X-Spam-Level:
X-Spam-Status: No, score=-8.168 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.247, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DfKcuQqNOJVp for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sat, 6 Aug 2016 14:53:35 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E8CA812D513 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Sat, 6 Aug 2016 14:53:34 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1bW9Sm-0003xN-1M for ietf-http-wg-dist@listhub.w3.org; Sat, 06 Aug 2016 21:49:00 +0000
Resent-Date: Sat, 06 Aug 2016 21:49:00 +0000
Resent-Message-Id: <E1bW9Sm-0003xN-1M@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <adrien@qbik.com>) id 1bW9Sc-0003vJ-SU for ietf-http-wg@listhub.w3.org; Sat, 06 Aug 2016 21:48:50 +0000
Received: from smtp.qbik.com ([122.56.26.1]) by maggie.w3.org with esmtps (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from <adrien@qbik.com>) id 1bW9SW-0004s5-Rg for ietf-http-wg@w3.org; Sat, 06 Aug 2016 21:48:49 +0000
Received: From [192.168.1.146] (unverified [192.168.1.146]) by SMTP Server [192.168.1.3] (WinGate SMTP Receiver v9.0.0 (Build 5848)) with SMTP id <0000796124@smtp.qbik.com>; Sun, 07 Aug 2016 09:45:50 +1200
From: Adrien de Croy <adrien@qbik.com>
To: Mark Nottingham <mnot@mnot.net>, Nicolas Mailhot <nicolas.mailhot@laposte.net>
Cc: Poul-Henning Kamp <phk@phk.freebsd.dk>, Patrick McManus <pmcmanus@mozilla.com>, HTTP Working Group <ietf-http-wg@w3.org>
Date: Sat, 06 Aug 2016 21:45:50 +0000
Message-Id: <em03a0c1e8-8306-499e-8c9b-6197ae900781@bodybag>
In-Reply-To: <1A071CC0-3A1E-4E53-B1D0-DBE37FA53A6B@mnot.net>
Reply-To: Adrien de Croy <adrien@qbik.com>
User-Agent: eM_Client/6.0.24928.0
Mime-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass client-ip=122.56.26.1; envelope-from=adrien@qbik.com; helo=smtp.qbik.com
X-W3C-Hub-Spam-Status: No, score=-5.3
X-W3C-Hub-Spam-Report: AWL=-0.137, BAYES_00=-1.9, RP_MATCHES_RCVD=-1.245, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: maggie.w3.org 1bW9SW-0004s5-Rg 6214ec3f92488e6a4c1739dd0481b024
X-Original-To: ietf-http-wg@w3.org
Subject: Re: MITM and proxy messages [was: Call for Adoption: draft-song-dns-wireformat-http]
Archived-At: <http://www.w3.org/mid/em03a0c1e8-8306-499e-8c9b-6197ae900781@bodybag>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/32203
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Hi Mark thanks for putting that together, it looks interesting. My gut feel is that customers will continue to wish to present their own content/page to blocked users, containing things such as * company and/or jurisdictional boilerplate / warnings etc * branding * organisation-specific links (e.g. to more info on policy, or request form to remove entry from block-list) One other issue looming is that of the captive portal, which generally requires that the initial conversation use http/1.1 over port 80. as more things move to https, this becomes more difficult. So the ability to advertise a captive portal would be useful to add to this draft. Then finally the issue around intercepted connections. I really can't see these going away. As far as the draft goes, I still don't really buy that browser vendors couldn't portray a block page in a way that is unambiguously NOT the target site - e.g. that cannot be made to look like or behave like the banking site (pop it in a dialog for example). I think a little more commitment and imagination could have resolved this problem and not caused the large amount of pain that the chosen expedient path has ended up causing. For a 30x response to CONNECT we need to decide whether such a thing makes any logical sense or even should be permitted. You can't MitM from an unknown source without causing at least certificate warnings - with HSTS this is a show-stopper for an active network attacker, unless they intercept the very first request to that site. Sanctioned MitM in an organization can currently only be distinguished from end-to-end encryption by inspecting the certificate chain, and this is a crime against users, it should be simple to make it obvious to users when their https is being inspected. E.g. tie the proxy configuration to the root of the cert tree - again this would only work for non-intercepted. So I'm a little on the fence on this proposal for browsers, but for other agents, I think the machine-readable information could be very useful, so overall I'm in favour of such an approach. It could however alternatively be transported in a header, leaving the body for customization by the organization. One thing I would love to see more work done in is proxy discovery. Many many of our users want to use interception, so they can avoid the deployment issues. WPAD goes some of the way, but there are still problems with that. If we continue to just wish that connection interception and MitM will just go away, we won't improve things for users. There should be a way for a intercepting proxy to safely (from a client POV) impose itself with full knowledge and assent of the client. Cheers Adrien ------ Original Message ------ From: "Mark Nottingham" <mnot@mnot.net> To: "Nicolas Mailhot" <nicolas.mailhot@laposte.net> Cc: "Adrien de Croy" <adrien@qbik.com>; "Poul-Henning Kamp" <phk@phk.freebsd.dk>; "Patrick McManus" <pmcmanus@mozilla.com>; "HTTP Working Group" <ietf-http-wg@w3.org> Sent: 6/08/2016 12:25:56 PM Subject: MITM and proxy messages [was: Call for Adoption: draft-song-dns-wireformat-http] >Would this help? > >https://mnot.github.io/I-D/proxy-explanation/ > >Keep in mind that only helps for configured proxies. > >Sent from my iPhone > >> On 5 Aug 2016, at 1:06 AM, Nicolas Mailhot >><nicolas.mailhot@laposte.net> wrote: >> >> Same here, no block pages -> MITM >> >> -- >> Envoyé de mon appareil Android avec K-9 Mail. Veuillez excuser ma >>brièveté. > >
- Re: Call for Adoption: draft-song-dns-wireformat-… Mark Nottingham
- Re: Call for Adoption: draft-song-dns-wireformat-… Tim Wicinski
- Re: Call for Adoption: draft-song-dns-wireformat-… Tim Wicinski
- Re: MITM and proxy messages [was: Call for Adopti… Patrick McManus
- Re: MITM and proxy messages [was: Call for Adopti… Adrien de Croy
- Re: MITM and proxy messages [was: Call for Adopti… Martin Thomson
- RE: Fwd: Call for Adoption: draft-song-dns-wirefo… Mike Bishop
- Re: MITM and proxy messages [was: Call for Adopti… Amos Jeffries
- Re: MITM and proxy messages [was: Call for Adopti… Walter H.
- Re: MITM and proxy messages [was: Call for Adopti… Amos Jeffries
- Re: MITM and proxy messages [was: Call for Adopti… Poul-Henning Kamp
- Re: MITM and proxy messages [was: Call for Adopti… nicolas.mailhot
- Re: MITM and proxy messages [was: Call for Adopti… nicolas.mailhot
- Re: MITM and proxy messages [was: Call for Adopti… Martin Thomson
- Re: MITM and proxy messages [was: Call for Adopti… Adrien de Croy
- Re: MITM and proxy messages [was: Call for Adopti… Martin Thomson
- Re: MITM and proxy messages [was: Call for Adopti… Martin Thomson
- Re: MITM and proxy messages [was: Call for Adopti… Adrien de Croy
- Re: MITM and proxy messages [was: Call for Adopti… Kari hurtta
- Re: MITM and proxy messages [was: Call for Adopti… Walter H.
- Re: MITM and proxy messages [was: Call for Adopti… Kari hurtta
- Re: MITM and proxy messages [was: Call for Adopti… Walter H.
- Re: MITM and proxy messages [was: Call for Adopti… Walter H.
- Re: MITM and proxy messages [was: Call for Adopti… Ilari Liusvaara
- Re: MITM and proxy messages [was: Call for Adopti… Kari hurtta
- Re: MITM and proxy messages [was: Call for Adopti… Amos Jeffries
- Re: MITM and proxy messages [was: Call for Adopti… Walter H.
- Re: MITM and proxy messages [was: Call for Adopti… nicolas.mailhot
- Re: MITM and proxy messages [was: Call for Adopti… Adrien de Croy
- MITM and proxy messages [was: Call for Adoption: … Mark Nottingham
- Re: Fwd: Call for Adoption: draft-song-dns-wirefo… Nicolas Mailhot
- Re: Fwd: Call for Adoption: draft-song-dns-wirefo… Adrien de Croy
- Re: Call for Adoption: draft-song-dns-wireformat-… Patrick McManus
- Re: Fwd: Call for Adoption: draft-song-dns-wirefo… Poul-Henning Kamp
- Re: Fwd: Call for Adoption: draft-song-dns-wirefo… Patrick McManus
- Re: Fwd: Call for Adoption: draft-song-dns-wirefo… Poul-Henning Kamp
- Re: Call for Adoption: draft-song-dns-wireformat-… Mark Nottingham
- Re: Call for Adoption: draft-song-dns-wireformat-… Martin Thomson
- Re: Call for Adoption: draft-song-dns-wireformat-… tjw ietf
- Re: Call for Adoption: draft-song-dns-wireformat-… Martin Thomson
- Fwd: Call for Adoption: draft-song-dns-wireformat… tjw ietf