Stories
Slash Boxes
Comments

SoylentNews is people

Pseudo HTTPS Proposed

posted by Dopefish on Monday February 24 2014, @06:00PM   Printer-friendly
from the things-could-get-hairy dept.

mrbluze writes:

"A modified HTTP protocol is being proposed (the proposal is funded by AT&T) which would allow ISP's to decrypt and re-encrypt traffic as part of day to day functioning in order to save money on bandwidth through caching. The draft document states:

To distinguish between an HTTP2 connection meant to transport "https" URIs resources and an HTTP2 connection meant to transport "http" URIs resource, the draft proposes to 'register a new value in the Application Layer Protocol negotiation (ALPN) Protocol IDs registry specific to signal the usage of HTTP2 to transport "http" URIs resources: h2clr.

The proposal is being criticized by Lauren Weinstein in that it provides a false sense of security to end users who might believe that their communications are actually secure. Can this provide an ISP with an excuse to block or throttle HTTPS traffic?"

 
This discussion has been archived. No new comments can be posted.
Pseudo HTTPS Proposed | Log In/Create an Account | Top | 73 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 3, Insightful) by sglane on Monday February 24 2014, @06:53PM

    by sglane (3133) on Monday February 24 2014, @06:53PM (#6056)

    I wouldn't call caching "broken" since CDNs work well even over SSL. CDNs are a better idea than an allowing an ISP to mangle HTTP by injecting their own headers and modifying the contents. By reworking TLS to have a "Trusted Proxy" you're removing the core concept of Transport Layer Security since you can't trust a proxy.

    Starting Score:    1  point
    Moderation   +2  
       Insightful=1, Interesting=1, Total=2
    Extra 'Insightful' Modifier   0  
    Total Score:   3  

  • (Score: 2, Informative) by mechanicjay on Monday February 24 2014, @07:18PM

    by mechanicjay (7) <mechanicjayNO@SPAMsoylentnews.org> on Monday February 24 2014, @07:18PM (#6074) Homepage Journal

    I understand your point, but I'd be careful of just a statement.

    When connect via https to the infrastructure here:

    Https connections are handled by our load balancer, which will then terminate your SSL connection, and *proxy* your traffic to the back-end web infrastructure in the clear. This is of course done via a private non-routable network. In this case, the proxy is trusted -- but it's a proxy acting as an agent of the site you're trying to trust, so everything is on the up and up. As far as you the client are concerned, you're secure to the server's front door, after that anything goes. This is a fairly common way to run a anything larger than a single server infrastructure.

    --
    My VMS box beat up your Windows box.