It's not like that at all.
The original text makes a claim about security and privacy around TLS.
This is not true in the real world, and is becoming less true with every
MitM deployed.
Client authentication is very rarely used because of the significant
challenges of managing client certificates. I don' t see that improving
any time soon. None of my banks even issued me with a client cert or
want me to use one.
We saw the increase in pressure to provide a MitM option, and it
coincided with google and facebook moving to https only. Ignore that if
you like, but that's the honest experience of a proxy vendor. I would
much rather not have had to do this, but in the end we had to.
So many people seem to think (Google included) that the browser user
should have all the power, and not be able to be stopped or scanned. In
a corporate network, the company is ENTIRELY justified in securing and
restricting the use of its network. That's what a proxy is for. That
need isn't going to go away just because everyone moves to https. That
need just becomes harder to meet, and you won't find people are thankful
for being forced to do that extra work to secure and control their
networks. Putting https where it's not needed (and it's not needed
everywhere) just worsens the user experience, and provides false signals
to users (since all attempts at making a system where the user could
know they were being MitMed were rejected by the people who would
evidently rather just ignore the problem and hope it goes away). This
is all customer needs driven. Until those needs change, then vendors
will try to meet those needs.
So your final comment is completely out of place.
Adrien
------ Original Message ------
From: "Stephane Bortzmeyer" <[email protected]>
To: "Adrien de Croy" <[email protected]>
Cc: "Shane Kerr" <[email protected]>; "[email protected]"
<[email protected]>
Sent: 6/05/2016 8:59:45 p.m.
Subject: Re: Fwd: New Version Notification for
draft-song-dns-wireformat-http-03.txt
On Wed, May 04, 2016 at 10:13:09PM +0000,
Adrien de Croy <[email protected]> wrote
a message of 316 lines which said:
TLS was designed to provide data integrity and security, but not in
the face of MitM attacks.
You're playing with words here. It all depends if you use TLS in the
strict sense (just the protocol) or the wider one (with
authentication; note that authentication is a official part of the
spec, in section 7 of RFC 5246, it is not delegated to some other
RFC).
Google's push for https everywhere has in our experience provided
significant incentive for MitM deployment.
It seems an argument straight from the attackers: "we are forced to
improve our attacks because the users - the bastards, how do they
dare? - improved their defenses".
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
