Where are the places that block encrypted traffic?

Sam Hartman <hartmans-ietf@mit.edu> Tue, 02 June 2015 00:21 UTC

Return-Path: <hartmans@mit.edu>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id AEA4A1A1B66 for <ietf@ietfa.amsl.com>; Mon, 1 Jun 2015 17:21:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.235
X-Spam-Status: No, score=-1.235 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_SOFTFAIL=0.665] autolearn=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id XbfwCYdw4xc3 for <ietf@ietfa.amsl.com>; Mon, 1 Jun 2015 17:21:04 -0700 (PDT)
Received: from mail.painless-security.com (mail.painless-security.com []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8BC061A1B1D for <ietf@ietf.org>; Mon, 1 Jun 2015 17:21:04 -0700 (PDT)
Received: from localhost (localhost []) by mail.painless-security.com (Postfix) with ESMTP id 0F2D4206F0; Mon, 1 Jun 2015 20:14:24 -0400 (EDT)
Received: from mail.painless-security.com ([]) by localhost (mail.suchdamage.org []) (amavisd-new, port 10024) with ESMTP id 8JyL2puuPjne; Mon, 1 Jun 2015 20:14:23 -0400 (EDT)
Received: from carter-zimmerman.suchdamage.org (c-73-159-4-174.hsd1.ma.comcast.net []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.painless-security.com (Postfix) with ESMTPS; Mon, 1 Jun 2015 20:14:23 -0400 (EDT)
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id DFA0F81BCD; Mon, 1 Jun 2015 20:21:01 -0400 (EDT)
From: Sam Hartman <hartmans-ietf@mit.edu>
To: Paul Wouters <paul@nohats.ca>
Subject: Where are the places that block encrypted traffic?
References: <20150601164359.29999.35343.idtracker@ietfa.amsl.com> <CAL02cgRPFooA5fVFwvdprb3wPD+Y55pD+7RWjkACDv7T_TBW5Q@mail.gmail.com> <1472054.O9DP0qoCQf@gongo> <alpine.LFD.2.11.1506011720390.12155@bofh.nohats.ca>
Date: Mon, 01 Jun 2015 20:21:01 -0400
In-Reply-To: <alpine.LFD.2.11.1506011720390.12155@bofh.nohats.ca> (Paul Wouters's message of "Mon, 1 Jun 2015 17:27:39 -0400 (EDT)")
Message-ID: <tsllhg3t0ya.fsf_-_@mit.edu>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/hTfPNnBpuBw3dPkjkmSFuM5V2W0>
Cc: ietf@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Jun 2015 00:21:05 -0000

>>>>> "Paul" == Paul Wouters <paul@nohats.ca> writes:

    Paul> On Mon, 1 Jun 2015, Niels Dettenbach wrote:
    >> - And: there ARE poeples and services which doen't allow
    >> encrypted access for legal or organisational reasons - it would
    >> not be nice to block interested poeples from such user
    >> "societies" which are not usually free to decide for an
    >> alternative byself.

I've heard this assertion made multiple times.

As a software developer, I'd really appreciate  some concrete examples
of places that

* Generally permit public access to the Internet

* Prohibit https access.

I'm aware of organizations that:

* Don't want public access to the Internet.  For example please don't
surf the web from your cash register; isolated networks; white-list only

* Places that require https traffic to go through a proxy that attempts
  to examine everything

* Places that inject an https root so they can MITM traffic

I don't think it's our job to make it easy to access the ietf's
resources from places that are trying to block access to us either in a
targeted manner or because they block large chunks of the internet whose
criteria would include the ietf.  Similarly, if an organization's policy
is that you have to use some proxy to access the IETF, I don't see a
problem with that.  Where are these places that block encrypted traffic
but are generally interested in public internet access?  I would like to
better understand real-world examples of these so I can factor them into
software design decisions.