On 7 February 2013 07:46, Yoav Nir <[email protected]> wrote (that I wrote): > " 10. Must work across all types of proxies. Proxies that can modify > > the plaintext HTTP requests and responses can (but should not) > interfere with any session continuation protocol." > > A man-in-the-middle is a type of proxy, so this seems like an > unsatisfiable requirement.
Actually, that's not quite right. Protocols can work across a proxy, but what's required is that the proxy does not gain the ability to pretend to be one of the endpoints. If you satisfy this, then a MitM can snoop, but can't masquerade. But this seems to impose quite a strong constraint on the protocol: in particular, future traffic must somehow be bound to the (end-to-end) session continuation. _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
