> In the majority of cases (i.e. delivering preseeded static content),
no. It identifies as some-1337-garbage.static.example.com, which it
basically *is*.
No. That might be the DNS name, but it is not the TLS certificate that the
server presents. That certificate MUST have a name that matches the original
name that the client (browser, often) present. That's fundamental.
> However, there's a minority of cases where a CDN is also used to
deliver *dynamically generated* content which could not be cached,
e.g. because it is only available to authenticated users. In this
case, the CDN in fact impersonates the origin, processes all the
authentication data, and the only way to implement that is proxying
across different areas of responsibility. How's that different from
what middleboxes are doing is not clear to me.
CDN's also do things like API gateways, BOT detection, etc. In some cases, the
dynamic traffic manipulation is more in either bytes or connections.
Consider this configuration in a fake language
<match cond="using-weak-cipher()">
<redirect>/get/better/browser.html</redirect>
</match>
Where does this fall?
I agree that if example.com hires a CDN or deploys a middlebox to do those
things, there is no difference.
> Proxy is a proxy.
That's too simplistic. We have a product, site shield, that customers can use
to limit the IP addresses of who can reach their origin server. Everyone else
is blocked. Some use that to make sure that *only* Akamai servers will talk to
them, and that everything else goes through us. Is that a proxy? How is it
different from terminating TLS in the DMZ and sending it inside? How does the
client know?
>is ... a Facebook-owned middlebox, or is it the endpoint
server?
What is the endpoint server, if facebook sends you there?
> The main difference though is that the data crosses the boundary
between the areas of responsibility in a way which is not transparent
to me.
And my point is that there is no such boundary. Or perhaps more accurately, it
is a barrier that they don't want you to see. Just like they might not want
you to know about the DMZ and interior network, which are often run by
different organizations inside the corporation.
_______________________________________________
OPSEC mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/opsec
