Re: [Patient] [saag] Internet Draft posted as requested -

Roland Zink <> Tue, 19 December 2017 11:30 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 47AF212DA51 for <>; Tue, 19 Dec 2017 03:30:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id TfQpoI6Y66t8 for <>; Tue, 19 Dec 2017 03:30:44 -0800 (PST)
Received: from ( [IPv6:2a01:238:20a:202:5300::8]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A7CC912D95E for <>; Tue, 19 Dec 2017 03:30:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1513683040; s=domk;; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:Date:Message-ID: From:References:To:Subject:X-RZG-CLASS-ID:X-RZG-AUTH:From:Subject; bh=6S4pj2BPtb3P2Oz2O5ggWUEV9wL/uThx8e3mksnrKFY=; b=U4ssVtG4X8If/sEjBAQuGE8NrQtATTkZullt/PY6GvobxgR6bYB+1VP+zNJqESDWEW mrPYSj7oC1Nkpowf/3W2injMeQCA4Jcbx8Rb6+iBhMi6OqdLlV9whbRZ6Kq7ubUVHkeD LBt3mXmjK8atgU0zmwjcgS6Q/CJTLtue7fwHY=
X-RZG-AUTH: :PmMIdE6sW+WWP9q/oR3Lt+I+9LAZzXrcq8knhvfmBiJzkmKt0Zib1EwEOzr8+BJk08DewNKUfU3E4jne94TokXG+zKOVlCUr9g==
Received: from [IPv6:2003:f4:73c0:c300:1db0:ea01:31b5:12f1] ( [IPv6:2003:f4:73c0:c300:1db0:ea01:31b5:12f1]) by (RZmta 42.14 AUTH) with ESMTPSA id j0221etBJBUe5TZ (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (curve secp521r1 with 521 ECDH bits, eq. 15360 bits RSA)) (Client did not present a certificate) for <>; Tue, 19 Dec 2017 12:30:40 +0100 (CET)
References: <> <> <> <> <> <> <> <> <> <> <> <> <>
From: Roland Zink <>
Message-ID: <>
Date: Tue, 19 Dec 2017 12:30:41 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.5.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: <>
Subject: Re: [Patient] [saag] Internet Draft posted as requested -
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Protecting against Attacks Tunneling In Encrypted Network Tunnels <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 19 Dec 2017 11:30:47 -0000

Hi Stephen,

Am 18.12.2017 um 18:08 schrieb Stephen Farrell:
> Even with supposed "knowledge" (see the number 269 below),
> cookies and other bearer tokens mean that so-called visibility
> is the same as allowing impersonation unless one doesn't
> actually ever apply the mitm technology to the web. The chances
> of that seem to be zero to me.
Impersonation is what is done on the server side for example in CDNs. 
Your data may end in a different country than you think. Do you propose 
to stop such things only on the client side?

> And of course, many of the so-called "visibility" schemes,
> immediately do allow for endpoint impersonation for everything
> and not just bearer-token situations, whenever the middlebox
> so chooses, regardless of the language used to describe those
> schemes. Which brings us back to them being no better than the
> current ickky corporate mitm root-ca stuff.
And the server is even allowed to instruct my browser to tell 3rd 
parties what I'm doing. The referer header is used for pervasive 
monitoring. There is not only a end-to-end connection instead there 
could be many. The end user should have control over them but is not 
even notified.