Re: [TLS] TLS Proxy Server Extension

Ken Peirce <> Wed, 03 August 2011 12:18 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6E02921F8ACA for <>; Wed, 3 Aug 2011 05:18:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 0.001
X-Spam-Status: No, score=0.001 tagged_above=-999 required=5 tests=[BAYES_50=0.001]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id yJNNg1icWMUc for <>; Wed, 3 Aug 2011 05:18:11 -0700 (PDT)
Received: from ( []) by (Postfix) with SMTP id E975F21F8ABE for <>; Wed, 3 Aug 2011 05:18:11 -0700 (PDT)
Received: from [] by with NNFMP; 03 Aug 2011 12:18:23 -0000
Received: from [] by with NNFMP; 03 Aug 2011 12:18:23 -0000
Received: from [] by with NNFMP; 03 Aug 2011 12:18:23 -0000
X-Yahoo-Newman-Property: ymail-3
Received: (qmail 37342 invoked by uid 60001); 3 Aug 2011 12:18:23 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=s1024; t=1312373903; bh=PFY2+Q2Qj89m0LLnXVrEM6mmTPfvJGJbf7AKzd6QU/I=; h=X-YMail-OSG:Received:X-Mailer:Message-ID:Date:From:Subject:To:MIME-Version:Content-Type; b=BJO4REvRg/pFLT3R5hwQFsfxc15uk9JY5CKqKygFPP4ZABFFX9v/JTzKPiQEVavzeA/iBRAULEzDlqZM4bx7CKg53rh3uZUQhkZs/aAFKfX+ZrS4DoAgI6yxKmgmsCW5j8hvvOEOZfSUiXfB4++hN6vi1U9YvC+np3hkOFnkDIc=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024;; h=X-YMail-OSG:Received:X-Mailer:Message-ID:Date:From:Subject:To:MIME-Version:Content-Type; b=oFcPWaB2pTNr0hy/7SmLm2kIDpJ0dTG73BReOJ6Vcynn4obKJ3jcdIAlmFjTEfx1o5llGzqupxZHb1sN3gGeF06liiLWICK9125lVJ8TGhmTDg7DMNZCS9x32iNFFhaN1XxqC9gi1//tHdugnVNHj6rfVNNAxNo5qd9msd9I3Yk=;
X-YMail-OSG: OrZDo1kVM1l3t5b8JarVC7fB6uMTupLtna_oWp395bZ0S9_ 09a7Vz3nnA26_6UeJ2gSwY2WlXhfbqpfWG_.Eu10Ki..nVita0Fd9f0viAnX aqPoeLev7a7Sri07SE5YSG_EJqIzVloj__XVmEHNaAGeVt_K6c_CTrJwyOYB hy2vwXCwaFYTB8zaDEpRUwQeGWfR26BtFqcbD5_bm5pSGQEartwvTERjMH4l FqlKBElhvcxeSxlY2cR9jaMZfonNnKWjXcAIBhLfE_gtoLHePDbcancfnZKW ww7fpOcLQTWoH_xuU5kC8BffxYmFmSAOTIm37TMmuO3f7Qz719a2nAjTEUl4 fCgXe4PJYnody_UdTTP5p39bUIbaHpuq68q6MTa4MphN11mlqroAK1lygURC NlZb68ZkUDuFiww--
Received: from [] by via HTTP; Wed, 03 Aug 2011 05:18:23 PDT
X-Mailer: YahooMailClassic/14.0.3 YahooMailWebService/
Message-ID: <>
Date: Wed, 3 Aug 2011 05:18:23 -0700 (PDT)
From: Ken Peirce <>
To: "" <>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Subject: Re: [TLS] TLS Proxy Server Extension
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 03 Aug 2011 12:18:12 -0000


> The use-case that interests me is deep firewall inspection.
> HTTP connections are routinely inspected by firewalls for
> downloaded malware, cross-site scripting, and various other
> attacks. Without a TLS proxy, HTTPS connections can either
> slip under the radar or get blocked entirely. That would
> have been fine a few years ago, when SSL was only used for
> shopping and banking sites (you could defer your shopping
> and banking for when you were home). These days the use of
> HTTPS is becoming more prevalent, so blocking HTTPS is no
> longer a good option. A TLS proxy allows an organization to
> use HTTPS while still applying company policy and defenses.

Why would you want to make banking and shopping less secure to support these other usage scenarios? The law enforcement community and service providers spend a lot of money to manage the security of their interception tools. There are many recorded cases where control of these tools was mishandled and abused by another party. TLS takes the human being out of the equation and protects the end user with known mathematical barriers. The TLS proxy exists today. It's two sessions in relay mode. The end user accepts the peer of the first session to be a trusted entity. If this trust is misplaced, that has nothing to do with the protocol. This is an application layer problem. 

Please ask the IETF leadership to form a new working group for a new protocol with this proxy as a fundamental tenet. You can experiment with this new protocol all you want. I do not want to see TLS broken because of tinkering in the name of some unestablished need.