IETF Logo Mail Archive

Re: MITM and proxy messages [was: Call for Adoption: draft-song-dns-wireformat-http]

Amos Jeffries <squid3@treenet.co.nz> Mon, 08 August 2016 11:30 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 657A012D824 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 8 Aug 2016 04:30:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.168
X-Spam-Level:
X-Spam-Status: No, score=-8.168 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.247, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id duvKtz9bYFZ1 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 8 Aug 2016 04:30:44 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8902512D596 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 8 Aug 2016 04:30:27 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1bWihI-0005cl-R3 for ietf-http-wg-dist@listhub.w3.org; Mon, 08 Aug 2016 11:26:20 +0000
Resent-Date: Mon, 08 Aug 2016 11:26:20 +0000
Resent-Message-Id: <E1bWihI-0005cl-R3@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <squid3@treenet.co.nz>) id 1bWih9-0005bv-Km for ietf-http-wg@listhub.w3.org; Mon, 08 Aug 2016 11:26:11 +0000
Received: from [121.99.228.82] (helo=treenet.co.nz) by maggie.w3.org with esmtp (Exim 4.80) (envelope-from <squid3@treenet.co.nz>) id 1bWih0-0004Mm-Sa for ietf-http-wg@w3.org; Mon, 08 Aug 2016 11:26:10 +0000
Received: from [192.168.20.251] (unknown [121.98.40.111]) by treenet.co.nz (Postfix) with ESMTP id 4576AE6EAA for <ietf-http-wg@w3.org>; Mon, 8 Aug 2016 23:25:29 +1200 (NZST)
To: ietf-http-wg@w3.org
References: <emf4b03d32-a847-4bb3-bfef-4d866b6dba9c@bodybag> <704A6BA4-E2EE-4458-AABB-21E953D1A207@laposte.net> <1A071CC0-3A1E-4E53-B1D0-DBE37FA53A6B@mnot.net> <57A76F02.4020708@mathemainzel.info> <20160807174535.ahcpwzgrxjlysl7z@LK-Perkele-V2.elisa-laajakaista.fi> <57A78567.2050902@mathemainzel.info>
From: Amos Jeffries <squid3@treenet.co.nz>
Message-ID: <63cdb320-83f3-7ea0-04f7-5b72ea01e76c@treenet.co.nz>
Date: Mon, 08 Aug 2016 23:25:24 +1200
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: <57A78567.2050902@mathemainzel.info>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Received-SPF: pass client-ip=121.99.228.82; envelope-from=squid3@treenet.co.nz; helo=treenet.co.nz
X-W3C-Hub-Spam-Status: No, score=-4.4
X-W3C-Hub-Spam-Report: AWL=-1.247, BAYES_00=-1.9, RDNS_NONE=0.793, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: maggie.w3.org 1bWih0-0004Mm-Sa 6ad0ff96090e5f5eb4d308e1d4b72374
X-Original-To: ietf-http-wg@w3.org
Subject: Re: MITM and proxy messages [was: Call for Adoption: draft-song-dns-wireformat-http]
Archived-At: <http://www.w3.org/mid/63cdb320-83f3-7ea0-04f7-5b72ea01e76c@treenet.co.nz>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/32222
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On 8/08/2016 7:00 a.m., Walter H. wrote:
> On 07.08.2016 19:45, Ilari Liusvaara wrote:
>> On Sun, Aug 07, 2016 at 07:25:22PM +0200, Walter H. wrote:
>>> On 06.08.2016 02:25, Mark Nottingham wrote:
>>>> Would this help?
>>>>
>>>> https://mnot.github.io/I-D/proxy-explanation/
>>>>
>>>> Keep in mind that only helps for configured proxies.
>>>>
>>> configured proxies are not the bug; why not just simpy use plain HTML?
>>
>> Except that if you try rejecting the CONNECT,
> then my browser shows the correct message
> 
> e.g.
> 
> While trying to retrieve the URL: https://www.xxx.ru/*
> 
> The following error was encountered:
> 
>  * *Top-Level-Domain Blocked. *
> 
> Access control configuration prevents your request from being allowed at
> this time.
> Please contact your service provider if you feel this is incorrect.
> 
> in this case it has no relevance if the host www.xxx.ru really exists or
> not, because the whole TLD .ru is blocked and this check is done much
> before;
> 
> I'm using squid as my MITM-proxy
> 
>> the browsers just throw
>> up generic error about connection failed and will just plain discard
>> any payload the proxy sends.
>>
>> (And pretty much the same for non-browsers, if those even support
>> CONNECT).
> yes, because these apps warn you that there is a certificate in use they
> don't  know; install the signing certificate of the proxy and it works
> as I've shown above ...
> 
This is squid working aroudn al the problems we are discussing here.

When you install the proxy CA cert Squid accepts the CONNNECT, MITM's
the TLS session, accepts the first HTTPS message from the browser - and
produces that error page that you see as if it were the response from
the HTTPS www.xxx.ru origin for that page.

It does all this nasty and complicated activity because the browser will
not show the error in response to the original CONNECT.

Amos

v2.23.0 | Report a Bug | By Email