Stories
Slash Boxes
Comments

Dev.SN ♥ developers

Pseudo HTTPS Proposed

posted by Dopefish on Monday February 24 2014, @02:00PM   Printer-friendly
from the things-could-get-hairy dept.

mrbluze writes:

"A modified HTTP protocol is being proposed (the proposal is funded by AT&T) which would allow ISP's to decrypt and re-encrypt traffic as part of day to day functioning in order to save money on bandwidth through caching. The draft document states:

To distinguish between an HTTP2 connection meant to transport "https" URIs resources and an HTTP2 connection meant to transport "http" URIs resource, the draft proposes to 'register a new value in the Application Layer Protocol negotiation (ALPN) Protocol IDs registry specific to signal the usage of HTTP2 to transport "http" URIs resources: h2clr.

The proposal is being criticized by Lauren Weinstein in that it provides a false sense of security to end users who might believe that their communications are actually secure. Can this provide an ISP with an excuse to block or throttle HTTPS traffic?"

 
This discussion has been archived. No new comments can be posted.
Pseudo HTTPS Proposed | Log In/Create an Account | Top | 1000 moderator points   | 73 comments | Search Discussion
Display Options Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 5, Informative) by mechanicjay on Monday February 24 2014, @02:27PM

    by mechanicjay (7) <{jason} {at} {smbfc.net}> on Monday February 24 2014, @02:27PM (#6030) Homepage Journal

    No, just no.

    The network provider should not be in the middle here -- ever, not even for caching of non-encrypted stuff.

    How many times have any of you been on the end of a support call, where the end resolution is, "Wait for your ISP's transparent upstream proxy to refresh."

    On the Content provider side, there's no reason not to do some heavy caching behind the SSL off-load appliance. The whole point, though, is that You the client are establishing trust with the site you're talking to. Honestly how is this any different than the phone company saying, "We're going to make sure to listen in on all your voice call, so we can be sure the network is used efficiently." That's not the point -- if your network can't handle the load, you need to build it out (charge more if you need to).

    This is basically a sanctioned man-in-the-middle attack, between you and every secure site you access, more or less a built-in backdoor. I'm sure, these appliances wouldn't be prime targets for attacks or anything.

    It's almost as bad as the Clipper Chip, but for web browsers instead!

    --
    My VMS box beat up your Windows box.
    Starting Score:    1  point
    Moderation   +4  
       Insightful=2, Informative=2, Total=4
    Extra 'Informative' Modifier   0  
    Total Score:   5  

  • (Score: 5, Informative) by frojack on Monday February 24 2014, @02:37PM

    by frojack (1554) on Monday February 24 2014, @02:37PM (#6038)

    This!.

    Client caches. Server validates cached elements. (304 return code has a purpose people, learn it).

    The network stays the hell out of this business.

    --
    Discussion should abhor vacuity, as space does a vacuum.

    • (Score: 4, Insightful) by Kawumpa on Monday February 24 2014, @03:27PM

      by Kawumpa (1187) on Monday February 24 2014, @03:27PM (#6085)

      The network will try to enforce whatever suits their interests, whether it's net neutrality or privacy doesn't matter. The providers eventually realised the flatrate connectivity was a bad end-user business model to begin with and there is a lot of value in snooping every single bit of your online activity (see Facebook and Google).

      It's time we start encrypting all traffic end-to-end.