On Thu, Feb 9, 2012 at 9:49 AM, Phillip Hallam-Baker <[email protected]> wrote: > I agree on the problem of Web middleboxen being a problem. > > What I really dislike about the BlueCoat solution is that it is > transparent. Which is of course why enterprises like them. They can > just deploy and forget. The fact that the purpose of the box is to > violate core assurances in the Web UI is irrelevant to them. They have > a regulatory requirement and will pay someone to achieve that at the > least personal effort to them.
There is a much better solution: block most outgoing HTTPS. I know it works because I know of at least one major organization where such a policy is applied. There's also a prohibition on accessing sites for personal purposes. So no gmail, no nothing. There's also a prohibition on using personal systems (laptops, say) on the corporate network. How do people get by? Smartphones and wireless. Who needs to access the 'Net through an employer's network anymore? (Yes, I know, lots of people have no other way, but it's only a matter of time till very few have no other way.) > I think we need to address SSL middleboxen properly (and not in this > forum, probably in TLS). Like prostitution, there are people who are > going to do this somehow, better to allow for it and regulate it > properly than have it happening in dark corners. The next logical step > is to attack the client with some sort of applet that adds a bogus > root into the certstore. Web authentication that handles channel binding would detect the MITMs. Then authentication just fails. We could make it so users could choose to do hop-by-hop security across MITMs they approve of, but I'd rather just fail and let the user find a non-MITMed path. Sadly, *very* sadly, we don't have such authentication mechanisms on the web :( > First off, the whole point of the SEC regulations is that traders etc. > should know that they are being watched. So they should not be using a > regular client anyway. They should be using a client that regularly > tells them that their connections are being intercepted. I would think > this is also advisable from a liability, privacy and ethical point of > view. Indeed. Nico -- _______________________________________________ therightkey mailing list [email protected] https://www.ietf.org/mailman/listinfo/therightkey
