Robert Collins wrote:
> On Wed, 2002-09-04 at 20:40, Henrik Nordstrom wrote:
> > Robert Collins wrote:
> > > and TLS on port 80 is another. (There is a IETF draft on this on the
> > > HTTP pages somewhere).
> >
> > Right. More than draft btw. Standards Track RFC 2817 and officially
> > updates RFC 2616. Contains good descriptions of how to make use of
> > Upgrade, and a new response type to when the server wants the client to
> > upgrade
> >
> > The same RFC also defines the CONNECT method for establishing tunnels via
> > proxies as the solution to the end-to-end property of Upgrade.
>
> .................................^^^^^^^^^^
>
> Do you mean Hop-by-hop property of upgrade?
Yes, I do.
CONNECT as an solution to provide end-to-end upgrades via proxies as Upgrade
is only hop-by-hop and cannot provide end-to-end upgrades to TLS.
> I've just read the rfc 2817, looks good to me. Another project
> for the devel pile?
Looks like it. Should not be too hard to add to the SSL support. But I am not
sure if there will be anyone requesting this feature as it is a feature that
is very likely to have a hard time to get accepted and working on the
Internet as it is today.
Issues:
* Man-in-the-middle attacks forcing downgrades by removing the Upgrade
header.
* User interface and trust. Users are used to https:// URLs meaning something
is supposedly secure. Using the Upgrade option does not provide any such
indication and other means must be used to indicate the URL is secure or that
requests must/will be sent encrypted.
* All existing proxies (including all Squid installations) will need to be
reconfigured to allow CONNECT to port 80. The previous Netscape document
strongly recommends CONNECT to only be allowed for known SSL services.
Regards
Henrik
Received on Wed Sep 04 2002 - 05:34:56 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:16:26 MST