Richard Levitte - VMS Whacker <[EMAIL PROTECTED]> writes:
> From: Eric Rescorla <[EMAIL PROTECTED]>
> ekr> Also, HTTP Upgrade interacts very badly with proxies. Since
> ekr> Upgrade is a hop-by-hop header, there's no way to negotiate
> ekr> an end-to-end HTTP Upgrade to TLS through a proxy, which is
> ekr> a serious problem. By contrast, HTTPS just uses the CONNECT
> ekr> method.
>
> Uhmm, what would stop any client to connect to the proxy, say CONNECT
> to it, and after getting the 200 back do the HTTP Upgrade through that
> channel?
Nothing. However, think about the consequences of this. Since you
have no idea whether a given server will support upgrade to TLS
you want to take advantage of it whenever it's available, right?
But in order to do so you've got to always use CONNECT and then
offer Upgrade. But this removes any possibility that the proxy
might cache your request (unless it violates the semantics of
the CONNECT), which seriously degrades the usefulness of the proxy
in many environments.
I suppose you could have a more sophisticated client which only
offered Upgrade when you were dereferencing a form or something,
but this still runs the risk that some confidential information
might leak (e.g. with basic authentication over HTTP) or when
the URL itself is secret.
-Ekr
--
[Eric Rescorla [EMAIL PROTECTED]]
http://www.rtfm.com/
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
