LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

HTTPS interception in Nokia's mobile browser

HTTPS interception in Nokia's mobile browser

Posted Jan 28, 2013 22:44 UTC (Mon) by anselm (subscriber, #2796)
In reply to: HTTPS interception in Nokia's mobile browser by nim-nim
Parent article: HTTPS interception in Nokia's mobile browser

People condemning transparent https proxying also refuse to give another choice (because that would be 'unsecure') even while the other choice works everyday with smtps (an smtp relay is just a mail proxy under another name)

If you want mail that is end-to-end secure you need something along the lines of PGP or S/MIME, which happens in the MUA and amounts to HTTPS. The hop-by-hop »proxying« that SMTP servers do does nothing for message security because, even with SMTP-over-TLS (SMTPS is no longer a thing), while the traffic between the various servers may be encrypted the messages are processed and queued on the servers themselves in clear text.

(Log in to post comments)

HTTPS interception in Nokia's mobile browser

Posted Jan 29, 2013 9:48 UTC (Tue) by nim-nim (subscriber, #34454) [Link]

The point is, there is zero technical reason https could not follow the same security model as e-mail. That would make proxy MITM-ing un-necessary.

You send your traffic to the relay, it can inspect and modify it, if the relay operator wants to inspect it and you send a crypted message, it can refuse to carry it, the rest is negociation between the operator and you, no need for SSL breaking like on HTTPS.

HTTPS interception in Nokia's mobile browser

Posted Jan 29, 2013 13:16 UTC (Tue) by khim (subscriber, #9252) [Link]

The point is, there is zero technical reason https could not follow the same security model as e-mail.

Sure. That's why it works in exactly the same way: HTTPS does not care about intermediate steps. But if text is not signed by a correct key then it refuses to work. The same way as PGP and S/MIME always worked.

The only difference is that mail is send-and-forget thus it's harder to enforce S/MIME and/or PGP (if you refuse to read unencrypted mail then you often lose the important info). But still a lot of confidential docs where I work are sent encrypted so what's the difference between mail and HTTPS?

HTTPS interception in Nokia's mobile browser

Posted Jan 29, 2013 13:43 UTC (Tue) by nim-nim (subscriber, #34454) [Link]

It does not work exactly the same way.

With mail you can say 'you are on a restricted network, use smtp server foo as relay, everything else will be blocked' (and then the user can choose to use the relay or not, and the relay can choose to relay or not depending on its settings)

With http you have to MITM to get the same result.

HTTPS interception in Nokia's mobile browser

Posted Jan 29, 2013 13:49 UTC (Tue) by khim (subscriber, #9252) [Link]

With http you have to MITM to get the same result.

If you don't want to open encrypted message then simple routing rule will be enough and there are proxy autodiscovery mechanisms, if you do want to open encrypted message then you must somehow convince me to replace key in my PGP or S/MIME client - the same as with HTTPS.

So I can not see the difference. Well, except for one: you need to specify relay for the mail, while proxy can be autodiscovered. I don't think it such a big difference.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds