HTTPS redirects to HTTP for monitoring
Kelly Setzer
Kelly.Setzer at wnco.com
Sun Jan 18 20:05:18 UTC 2015
I don't know if you're referring to HSTS. If not, it's worth noting in
this thread. As I understand HSTS, session decryption is still possible
on sites that send the 'Strict-Transport-Security' header. See:
https://tools.ietf.org/html/rfc6797
I suspect it's only a matter of time before browsers become suspicious by
default, requiring that HTTPS responses be signed and requiring that SSL
certificates come from trusted sources. In other words, HSTS is the next
step in a long-running arms race. It will not be the last. See this 1997
article for a taste: http://www.apacheweek.com/features/ssl
Money quote: "The US Government imposes export restrictions on arms, in a
set of rules called ITAR"
All of this points to the deficiency of the existing commercial
certificate authority system. The fact that organizations can easily
purchase software specifically designed to subvert encrypted communication
channels is proof that HTTPS security is an illusion.
Kelly
On 1/18/15, 12:31 PM, "William Waites" <wwaites at tardis.ed.ac.uk> wrote:
>On 18 Jan 2015 18:15:09 -0000, "John Levine" <johnl at iecc.com> said:
>
> > I expect your users would fire you when they found you'd blocked
> > access to Google.
>
>Doesn't goog do certificate pinning anyways, at least in their web
>browser?
******* CONFIDENTIALITY NOTICE *******
This e-mail message and all attachments transmitted with it may contain legally privileged and confidential information intended solely for the use of the addressee. If the reader of this message is not the intended recipient, you are hereby notified that any reading, dissemination, distribution, copying, or other use of this message or its attachments is strictly prohibited. If you have received this message in error, please notify the sender immediately and delete this message from your system. Thank you.
More information about the NANOG
mailing list