[TLS] Read-only vs. read-write proxies
Yaron Sheffer <yaronf.ietf@gmail.com> Wed, 03 August 2011 06:11 UTC
Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EE56E21F888A for <tls@ietfa.amsl.com>; Tue, 2 Aug 2011 23:11:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.141
X-Spam-Level:
X-Spam-Status: No, score=-102.141 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_HTML_ONLY=1.457, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BCRfPLavqKtL for <tls@ietfa.amsl.com>; Tue, 2 Aug 2011 23:11:34 -0700 (PDT)
Received: from mail-wy0-f172.google.com (mail-wy0-f172.google.com [74.125.82.172]) by ietfa.amsl.com (Postfix) with ESMTP id 335A821F8888 for <tls@ietf.org>; Tue, 2 Aug 2011 23:11:33 -0700 (PDT)
Received: by wyj26 with SMTP id 26so348435wyj.31 for <tls@ietf.org>; Tue, 02 Aug 2011 23:11:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject :content-type:content-transfer-encoding; bh=GFAJu8UeSVLHPhuhsvIl1EP07cgijlh93tHNS82zMJw=; b=hZIC+JNAhLOXtq3Scdx2Fvz7kubBZdi0Mot0Dkdg09jy//3sWbLM+J/u/GnOGLM08P j5oDbFiRcBdp32bxv258VjtIc3FrmIiej6jpG645iDlrNRyxGRkZ9h7nfFNyg+tDtOUD qzy2mvbQYsnVE/STJqJQLmFK6l6cpGvYY6Kfc=
Received: by 10.227.128.81 with SMTP id j17mr8027038wbs.55.1312351904467; Tue, 02 Aug 2011 23:11:44 -0700 (PDT)
Received: from [10.0.0.5] ([109.67.32.186]) by mx.google.com with ESMTPS id fr7sm392654wbb.56.2011.08.02.23.11.43 (version=SSLv3 cipher=OTHER); Tue, 02 Aug 2011 23:11:43 -0700 (PDT)
Message-ID: <4E38E69D.3000608@gmail.com>
Date: Wed, 03 Aug 2011 09:11:41 +0300
From: Yaron Sheffer <yaronf.ietf@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:5.0) Gecko/20110627 Thunderbird/5.0
MIME-Version: 1.0
To: tls@ietf.org
Content-Type: text/html; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Subject: [TLS] Read-only vs. read-write proxies
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Aug 2011 06:11:35 -0000
First, I strongly dislike this type of corporate proxies, and would take the German constitutional regime any time. But in other free countries, this scenario is perfectly OK (legal and socially acceptable), and we need to cater for this use case.
If we break the TLS architecture as proposed here, we will have
killed forever any chance of having TLS-level mutual
authentication (TLS-PSK, TLS-SRP). This is IMHO too high a price
for the benefits of R/W proxies.
I have not been convinced by David's explanation of the need for
R/W proxies, nor by Yoav's use case. A malware detection proxy can
drop the connection precisely at the time malware is detected: the
Word document would not be received in its entirety and would be
rejected by the client. Even if a partial document is acceptable
(e.g. JPEG), a partial malware is (hopefully) not effective.
What are the reasons proxies need to modify the stream?
- Purely informational app-level insertion, of the "sent from my iPhone" kind. The *client* has a trusted channel to the proxy, and if this is needed, the client can insert this stuff.
- Security-specific signaling, of the "no spam detected here"
kind. The server wouldn't trust the proxy with that anyway (this
is a client-side proxy!) so this is not useful.
- Malware detection: just ax the connection.
- Other reasons?
Lastly, it is important that the server should know of the proxy's presence, even if the indication relies on the client's and/or the proxy's good will. I can think of banks who still use passwords for client auth, but would not allow logins where that password is clearly intercepted by a third party.
Thanks,
Yaron
- [TLS] Read-only vs. read-write proxies Yaron Sheffer
- Re: [TLS] Read-only vs. read-write proxies Marsh Ray
- Re: [TLS] Read-only vs. read-write proxies Yaron Sheffer