Am 09.05.2017 um 18:41 schrieb Salz, Rich:
The second problem is that middle-boxes can break any signaling. For example a CDN or TLS accelerator may enable 0-RTT towards the back-end origin without enabling it to the original client. In this model, the client has *no* way to reason about retries or replay. A CDN is not a middlebox. As far as the client is concerned a CDN *is* the origin. The agreement in-place between the CDN and the origin is out of scope here. A TLS accelerator, which is a tool to help an origin with its *local* performance, or other lower-layer (in the L3 L5 etc sense) assist is within scope. Does that make sense?
Depends on how you look on this. For TLS the CDN is the origin. For an end user the CDN is often a third party which means some unknown entities get access to potential private data. When this is on another country this may include foreign official entities in addition to the 3rd party company itself. Really bad is when the user is not informed at all, e.g. the page URL doesn't show the CDN (or ad or tracking) company. For a mass surveillance just monitor a few tracking, advertising or CDN companies and you will get most of the URLs (refer header) and more from most users without breaking the TLS security. So why do TLS at all?
That's really very broken and a serious violation of the transport layer contract.Only if you believe CDN is a middlebox. The transport layer contract is overridden by legal contracts or EULA :) /r$
I would prefer if TLS wouldn't allow 3rd parties without user notification. Roland _______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
