HTTPS interception in Nokia's mobile browser [LWN.net]

HTTPS interception in Nokia's mobile browser

Posted Jan 29, 2013 13:16 UTC (Tue) by khim (subscriber, #9252)
In reply to: HTTPS interception in Nokia's mobile browser by nim-nim
Parent article: HTTPS interception in Nokia's mobile browser

The point is, there is zero technical reason https could not follow the same security model as e-mail.

Sure. That's why it works in exactly the same way: HTTPS does not care about intermediate steps. But if text is not signed by a correct key then it refuses to work. The same way as PGP and S/MIME always worked.

The only difference is that mail is send-and-forget thus it's harder to enforce S/MIME and/or PGP (if you refuse to read unencrypted mail then you often lose the important info). But still a lot of confidential docs where I work are sent encrypted so what's the difference between mail and HTTPS?

(Log in to post comments)

HTTPS interception in Nokia's mobile browser

Posted Jan 29, 2013 13:43 UTC (Tue) by nim-nim (subscriber, #34454) [Link]

It does not work exactly the same way.

With mail you can say 'you are on a restricted network, use smtp server foo as relay, everything else will be blocked' (and then the user can choose to use the relay or not, and the relay can choose to relay or not depending on its settings)

With http you have to MITM to get the same result.

HTTPS interception in Nokia's mobile browser

Posted Jan 29, 2013 13:49 UTC (Tue) by khim (subscriber, #9252) [Link]

With http you have to MITM to get the same result.

If you don't want to open encrypted message then simple routing rule will be enough and there are proxy autodiscovery mechanisms, if you do want to open encrypted message then you must somehow convince me to replace key in my PGP or S/MIME client - the same as with HTTPS.

So I can not see the difference. Well, except for one: you need to specify relay for the mail, while proxy can be autodiscovered. I don't think it such a big difference.