Re: HTTPS redirects to HTTP for monitoring

[Kelly Setzer <Kelly.Setzer () wnco com>]

I don't know if you're referring to HSTS.  If not, it's worth noting in
this thread.  As I understand HSTS, session decryption is still possible
on sites that send the 'Strict-Transport-Security' header.  See:
https://tools.ietf.org/html/rfc6797

I suspect it's only a matter of time before browsers become suspicious by
default, requiring that HTTPS responses be signed and requiring that SSL
certificates come from trusted sources.  In other words, HSTS is the next
step in a long-running arms race.  It will not be the last.  See this 1997
article for a taste: http://www.apacheweek.com/features/ssl
        
        Money quote: "The US Government imposes export restrictions on arms, in a
set of rules called ITAR"

All of this points to the deficiency of the existing commercial
certificate authority system.  The fact that organizations can easily
purchase software specifically designed to subvert encrypted communication
channels is proof that HTTPS security is an illusion.


Kelly


On 1/18/15, 12:31 PM, "William Waites" <wwaites () tardis ed ac uk> wrote:

> On 18 Jan 2015 18:15:09 -0000, "John Levine" <johnl () iecc com> said:
>
>    > I expect your users would fire you when they found you'd blocked
>    > access to Google.
>
> Doesn't goog do certificate pinning anyways, at least in their web
> browser?



******* CONFIDENTIALITY NOTICE *******

This e-mail message and all attachments transmitted with it may contain legally privileged and confidential information 
intended solely for the use of the addressee. If the reader of this message is not the intended recipient, you are 
hereby notified that any reading, dissemination, distribution, copying, or other use of this message or its attachments 
is strictly prohibited. If you have received this message in error, please notify the sender immediately and delete 
this message from your system. Thank you.