IETF Logo Mail Archive

Re: MITM and proxy messages [was: Call for Adoption: draft-song-dns-wireformat-http]

nicolas.mailhot@laposte.net Sun, 07 August 2016 08:14 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BF54B12B007 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 7 Aug 2016 01:14:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.058
X-Spam-Level:
X-Spam-Status: No, score=-8.058 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.247, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_DKIM_INVALID=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (2048-bit key) reason="fail (message has been altered)" header.d=laposte.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9J2aXgBT_iBA for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 7 Aug 2016 01:14:00 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B474E12B005 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Sun, 7 Aug 2016 01:14:00 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1bWJ9u-00007v-U4 for ietf-http-wg-dist@listhub.w3.org; Sun, 07 Aug 2016 08:10:10 +0000
Resent-Date: Sun, 07 Aug 2016 08:10:10 +0000
Resent-Message-Id: <E1bWJ9u-00007v-U4@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <nicolas.mailhot@laposte.net>) id 1bWJ9l-0006xo-Fv for ietf-http-wg@listhub.w3.org; Sun, 07 Aug 2016 08:10:01 +0000
Received: from smtpoutz11.laposte.net ([194.117.213.174] helo=smtp.laposte.net) by maggie.w3.org with esmtps (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from <nicolas.mailhot@laposte.net>) id 1bWJ9e-0006Xo-68 for ietf-http-wg@w3.org; Sun, 07 Aug 2016 08:09:59 +0000
Received: from smtp.laposte.net (localhost [127.0.0.1]) by lpn-prd-vrout003 (Postfix) with ESMTP id A011C42AB8AB for <ietf-http-wg@w3.org>; Sun, 7 Aug 2016 09:00:09 +0200 (CEST)
Received: from smtp.laposte.net (localhost [127.0.0.1]) by lpn-prd-vrout003 (Postfix) with ESMTP id 78C1F42AB89E for <ietf-http-wg@w3.org>; Sun, 7 Aug 2016 09:00:09 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=laposte.net; s=mail0; t=1470553209; bh=BN6r+8X5YdkLMG+CHrliwYzokcyfSSmWvcPQnAxFxP4=; h=Date:From:To:Cc:In-Reply-To:References:Subject; b=Me4DieqrGUujEUiCNiZx9fHmtCl5WE4NUZXpWJhb2aBYEQ8+U86atq+7+Cg3PXwjC mU2lfuHrU/5tszHsZEc7tEz0T2DV6WZhKIV45yoI9ggrs16k6u1HsMfhM+fziqio2r yUBDYibPCKr8lT2F3FbVRLvtv3p5rczWDC92oV/akEnSddziG8g59lsUrWpj89U5We TD82i1aETv3/w4ISUpuzABsFXlV3EDggK+eJuOFW9kdJbW+c4zvmVECAduOvDd1ruH vtynB7bI0N6nALEjKYySq4v8KQ1HFl1Nwyb1LtiY9EcRZ6Rq48fWlFpnpA9epX1jpC YnJ7q/e/4AFNQ==
Received: from lpn-prd-mstr088.laposte (lpn-prd-mstr088 [10.128.59.114]) by lpn-prd-vrout003 (Postfix) with ESMTP id 5FBD642AAE67; Sun, 7 Aug 2016 09:00:09 +0200 (CEST)
Date: Sun, 07 Aug 2016 09:00:09 +0200
From: nicolas.mailhot@laposte.net
To: Mark Nottingham <mnot@mnot.net>
Cc: Adrien de Croy <adrien@qbik.com>, Poul-Henning Kamp <phk@phk.freebsd.dk>, Patrick McManus <pmcmanus@mozilla.com>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <1310458502.298294.1470553209209.JavaMail.zimbra@laposte.net>
In-Reply-To: <1A071CC0-3A1E-4E53-B1D0-DBE37FA53A6B@mnot.net>
References: <emf4b03d32-a847-4bb3-bfef-4d866b6dba9c@bodybag> <704A6BA4-E2EE-4458-AABB-21E953D1A207@laposte.net> <1A071CC0-3A1E-4E53-B1D0-DBE37FA53A6B@mnot.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
X-Originating-IP: [86.67.130.83]
X-Mailer: Zimbra 8.0.6_GA_5922 (ZimbraWebClient - FF48 (Linux)/La Poste)
Thread-Topic: MITM and proxy messages [was: Call for Adoption: draft-song-dns-wireformat-http]
Thread-Index: sZZDU5aZ/PVCLWMAlD/9LfanPL6NTw==
X-VR-SrcIP: [86.67.130.83]
X-VR-FullState: 0
X-VR-Score: -100
X-VR-Cause-1: gggruggvucftvghtrhhoucdtuddrfeeltddrkeejgdduudcutefuodetggdotefrodftvfcurfhrohhf
X-VR-Cause-2: ihhlvgemucfntefrqffuvffgnecuuegrihhlohhuthemucehtddtnecusecvtfgvtghiphhivghnthhs
X-VR-Cause-3: ucdlqddutddtmdenucfjughrpeffhffvkfgjfhfugggtgfhiofhtsehtjegttdertdejnecuhfhrohhm
X-VR-Cause-4: pehnihgtohhlrghsrdhmrghilhhhohhtsehlrghpohhsthgvrdhnvghtnecuffhomhgrihhnpehgihht
X-VR-Cause-5: hhhusgdrihhonecukfhppedutddruddvkedrheelrdduudegpdekiedrieejrddufedtrdekfeenucfr
X-VR-Cause-6: rghrrghmpehmohguvgepshhmthhpohhuthdphhgvlhhopehlphhnqdhprhguqdhmshhtrhdtkeekrdhl
X-VR-Cause-7: rghpohhsthgvpdhinhgvthepuddtrdduvdekrdehledruddugedpmhgrihhlfhhrohhmpehnihgtohhl
X-VR-Cause-8: rghsrdhmrghilhhhohhtsehlrghpohhsthgvrdhnvghtpdhrtghpthhtohepihgvthhfqdhhthhtphdq
X-VR-Cause-9: fihgseiffedrohhrgh
X-VR-AvState: No
X-VR-State: 0
Received-SPF: pass client-ip=194.117.213.174; envelope-from=nicolas.mailhot@laposte.net; helo=smtp.laposte.net
X-W3C-Hub-Spam-Status: No, score=-5.1
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.432, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: maggie.w3.org 1bWJ9e-0006Xo-68 04b988ae42201273a3f36d63fb8f3721
X-Original-To: ietf-http-wg@w3.org
Subject: Re: MITM and proxy messages [was: Call for Adoption: draft-song-dns-wireformat-http]
Archived-At: <http://www.w3.org/mid/1310458502.298294.1470553209209.JavaMail.zimbra@laposte.net>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/32204
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>


----- Mail original -----
De: "Mark Nottingham" 
Objet: MITM and proxy messages [was: Call for Adoption: draft-song-dns-wireformat-http]

> Would this help?

> https://mnot.github.io/I-D/proxy-explanation/

> Keep in mind that only helps for configured proxies. 

For private proxies it would help. Corps would probably be ok with dumping proxy page chrome as long as it is encrypted to avoid spoofing, the user agent warns if the cert changes, and browsers do not do the usual "end of the world" generic message

It's still missing a huge part however: proxy auth. There is no wish to allow a random attacker to drill through corp firewalls just by plugging a gadget on a free ethernet port

I don't see it work for public commercial captive portals (without necessary a proxy behind) such a the one I'm currently using. Those guys want to display their brand proheminently if only to tell people "look, if you was my customer, you could use the free-for-my-customers hotspot I deployed deep in this remote place" (which means auth again to prove you are a customer or paid a on-off fee, + reauth because reception of such hotspots is flacky and the connexion needs restablishing every time you move out of range).

As for the "but banks" objections it would be time for browsers people to realise banks do *not* design their sites any different than otherq, and all the efforts those past years to allow http mashups, third party adds, tracking cookies mean there is no way to check bank web sites anymore. They now call third-party js, add agency, just like the others. They may lag a little (on-two years) but the result is the same.

It is not possible to promote hoplessly insecure practices for some sites and hope they won't spread.

v2.23.0 | Report a Bug | By Email