Re: [OPSEC] [TLS] Call For Adoption: draft-wang-opsec-tls-proxy-bp

Nick Harper <> Thu, 30 July 2020 15:18 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id CE4B03A095A for <>; Thu, 30 Jul 2020 08:18:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -17.599
X-Spam-Status: No, score=-17.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id zeRLKGrXG5Xz for <>; Thu, 30 Jul 2020 08:18:14 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::32a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 017C83A094E for <>; Thu, 30 Jul 2020 08:18:13 -0700 (PDT)
Received: by with SMTP id l26so3796419otj.4 for <>; Thu, 30 Jul 2020 08:18:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=qyi38KYkImN6F9WBfGDg5gZxkyWBlaoGFLeUXgHt9PI=; b=EBApBnu1y2G5B1U813auJMlaFXWPKfOOET6L/iDnHZUSF18piHjhHHBu11gxOvoM7m 6zdJxF5dI+6ecT2VRLgoA+h6JzSeDYnB6rQ+f8J86kuBrOdp7IQCUTUk5sE+/1HVuJMG 0jBOAZpK0o5tIMXXrcHCA11DQCnqj/dm4HzzOghu/D67COrmuDCvlBegh7hgWCLtHg2L ZvscYv52QX++FOGfbsi8ppUCfrlt9qU3CV996V+Td7j3EgAj7o8rtYC0TEsjRSZyurYq NMxJOCDr3HtyHW8m14UkBKsrKvHwhlOEkxOCksL9iDuJL4uwrB8Br11UsFmhNO9Iwy6c JYdA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=qyi38KYkImN6F9WBfGDg5gZxkyWBlaoGFLeUXgHt9PI=; b=N63wS15SqDmAlw4Pi4x5ZuS0dYYTD3trtqoi8nqFtuMNpe1e4RqcokiXM8ZADOQap6 +rBuunpQy4RNqeRfDaDbnW7wG4WnbUU+M6D8lAFG13GJ+QDgElymOE6tbZXCycqL0Q6P KcALdvQ0WnRyaz8LSZePBjLXAQj2c+swUmn5JWDfpRbP3ZMiTiQH+dmMSBFms499sLk8 mqzSaXyYjtPvh8pS5USvzjoMheA3c5aw/ekYNZU61PEHBREgFfAAUHv+FCZbZu6H+OcJ CkLBYUgsHL7CBtc23+T3oAJh4OUiwof1ZH6bkkRfqWsiM9+5JuSP3QoDOXwmlxnQMHYw Bn0A==
X-Gm-Message-State: AOAM5306d1u27MitOa21pZUoBe/IY+qW4Xawwb5t8wGIiFQiWji3XDIL x1honzhwLI97mtEXzNQT8QdcXDa8CjxeMbtMt+GjCQ==
X-Google-Smtp-Source: ABdhPJx/LQqtFF1X5Py7CwKadg6LFqsQcheCY4kk03iyFDsbkwzd2QKXgkOknWtiSWmvU6k6ubJHc1K51V+gq9YY4pE=
X-Received: by 2002:a05:6830:1d6c:: with SMTP id l12mr2622454oti.275.1596122292876; Thu, 30 Jul 2020 08:18:12 -0700 (PDT)
MIME-Version: 1.0
References: <> <> <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
From: Nick Harper <>
Date: Thu, 30 Jul 2020 08:18:01 -0700
Message-ID: <>
To: =?UTF-8?Q?T=C3=B6ma_Gavrichenkov?= <>
Cc: "Salz, Rich" <>, Jen Linkova <>, OPSEC <>, "" <>, OpSec Chairs <>
Content-Type: multipart/alternative; boundary="00000000000049530f05abaa2e19"
Archived-At: <>
Subject: Re: [OPSEC] [TLS] Call For Adoption: draft-wang-opsec-tls-proxy-bp
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: opsec wg mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 30 Jul 2020 15:18:16 -0000

On Thu, Jul 30, 2020 at 7:58 AM Töma Gavrichenkov <> wrote:

> Peace,
> On Thu, Jul 30, 2020, 4:39 PM Salz, Rich <> wrote:
>> We have a product, site shield, that customers can use to limit the IP
>> addresses of who can reach their origin server.  Everyone else is blocked.
>> Some use that to make sure that *only* Akamai servers will talk to them,
>> and that everything else goes through us.  Is that a proxy? How is it
>> different from terminating TLS in the DMZ and sending it inside? How does
>> the client know?
> I don't know, and this *is* the problem.

The point is, whatever server/device has a publicly trusted certificate for
a domain name is authoritative for that domain. That server can get the
content it serves (whether dynamic or static) from any source. TLS only
provides guarantees about the connection between the client and server. It
says nothing about whether the content served was obtained or generated in
some secure manner. That content could be sourced locally, it could be
aggregated or generated from other servers via connections over other
secure protocols that aren't TLS, it could even come from some insecure
source like transmitting an audio stream collected from an antenna
connected to the server.

I may be connecting to the service from a network I don't trust with my
> information, and I have (almost) no tool to tell me whether it is served
> from a different network via a secure connection *or* it is served from an
> edge node deployed *in the same network I don't trust*, that node being
> connected to the service through an unauthenticated channel.

If you're connecting to a service, at some point you have to trust that the
service operator is running it in a reasonable way. TLS only tells you that
your connection to the server is secure - it tells you nothing about the
provenance of the content served, and even if such a mechanism exists (I am
not advocating that such a thing should exist), the server can always claim
that it generated it instead of that it got it from somewhere else.

> Like in [1], where this unauthenticated channel is being marketed as
> "end-to-end encryption".  This approach basically defies all the end-to-end
> encryption efforts.
> When it comes to static content, with all the JS security implemented,
> this is mostly fine.  Dynamic content is a very different story.
> [1]
> --
> Töma
>> _______________________________________________
> TLS mailing list