Re: [TLS] TLS Proxy Server Extension

Matt McCutchen <> Tue, 02 August 2011 16:31 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 2453F21F8559 for <>; Tue, 2 Aug 2011 09:31:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id r8DrKl5Rwoc9 for <>; Tue, 2 Aug 2011 09:31:16 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 68B2221F854C for <>; Tue, 2 Aug 2011 09:31:09 -0700 (PDT)
Received: from (localhost []) by (Postfix) with ESMTP id 1B34C280076; Tue, 2 Aug 2011 09:31:18 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; c=nofws;; h=subject:from :to:cc:in-reply-to:references:content-type:date:message-id :mime-version:content-transfer-encoding; q=dns; s=; b=mcXlWQXsAIM5sRdFwUiWAJ3SyUSNFq+3NDbyXuZwVJT zAhdDnCi7iyZvKwe+ftcVmVPHpSppLg2RRukSWcWR0GWdet2dg6qwibueV0Fez5n wxDUhk/xUXzFEThvrBWAG9avHp7seLq8McO2skuiDrzpSi/lqMeqIJuKHaojIwXQ =
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed;; h= subject:from:to:cc:in-reply-to:references:content-type:date :message-id:mime-version:content-transfer-encoding; s=; bh=WozRcOc1GAs0YipTlukBezhWoXQ=; b=rYkIMym8Xf Si7gHZHWWtenf3Agao6ub81HHsbKujHGw4gg+Ylv6MZ4nIVllkvmq6zH1nAdd6ch 1w+Sm9fTY23v3kdibrVRvJkpXiXqeA2osaS395IRL5fIS9qFcWjcIygk8qiWTUzO hjasRsBcjozAxBHE24pMrBVmWMz+93tgc=
Received: from [] (unknown []) (using SSLv3 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: by (Postfix) with ESMTPSA id 7D71828006F; Tue, 2 Aug 2011 09:31:17 -0700 (PDT)
From: Matt McCutchen <>
To: Yoav Nir <>
In-Reply-To: <>
References: <> <> <>
Content-Type: text/plain; charset="UTF-8"
Date: Tue, 02 Aug 2011 12:31:16 -0400
Message-ID: <1312302676.2174.31.camel@localhost>
Mime-Version: 1.0
X-Mailer: Evolution 2.32.3
Content-Transfer-Encoding: 7bit
Subject: Re: [TLS] TLS Proxy Server Extension
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 02 Aug 2011 16:31:17 -0000

On Tue, 2011-08-02 at 09:19 +0300, Yoav Nir wrote:
> Decryption-only through sharing of keys would not work. Some of the
> processing to be done cannot be done by a passive eavesdropper. For
> example, if you send me an MS-Word document to my gmail account, and I
> would like to download it, the way to check for malware is for the
> proxy to download the entire file, scan it for malware, and then
> forward it to my computer. A passive eavesdropper would finish
> collecting the file too late - by then I already have it. An active
> proxy is necessary.

You are confusing layers.  TLS relies on the flow control of the
underlying stream.  The proxy would have to split the TCP connection in
order to collect the entire file, but it would ultimately send the
collected TLS records on to the client verbatim, so the TLS-level
behavior would be passive.

> I think he's missing the baseline. The baseline is that TLS proxies
> work well enough that companies deploy then. Even in Europe. There are
> some downsides to using them: client certificates and PSK suites don't
> work. Certificate and CA pinning don't work. The user cannot verify
> the actual server certificate chain. The EV indication is gone. But
> all these are not blocking administrators from deploying TLS proxies.
> They may be blocking sites from using client certificates or PSK
> suites, although there are plenty of other things blocking those (but
> that's from another thread)
> This extension may help with those deficiencies. With or without the
> extension, the existence (or possibility) of the proxy is visible to
> the user, because you need to install a CA certificate. A user can
> choose not to use the corporate network for accessing HTTPS sites
> where he's not comfortable with having the content inspected. The fact
> that the server is not similarly given a choice may be a problem, but
> that is a property of using TLS without client authentication. The
> extension can help, but only if the proxy uses it.

All agreed.

A person using a corporate laptop has no expectation of privacy from the
company.  The proxy extension just offers a technically more capable
solution for that scenario.

No one is proposing, per se, that TLS interception be used in any more
places than it is now.  Of course, interception may now be used in
places where it was always desired but could not be used before due to
protocol issues.  However, it's hard to believe that the proxy extension
would change the market and/or legal forces that currently restrain ISPs
from routinely intercepting customer traffic, if that is what Martin is
worried about.

The TLS WG may have a personal distaste for the use case addressed by
the extension.  But I would reason that the use case is valid, thus the
extension is worthy of standardization to get interoperable
implementations, and the TLS WG is the best venue available for
technical discussion.  As David explained
(, the
use case does not constitute wiretapping as defined in RFC 2804.