I've posted a new document to the datatracker that adds some TLS alert
codes that can be sent to indicate that a particular TLS request has been
blocked by the network. This attempts to address the problem of notifying
the user of what went wrong when a site is blocked, without creating a
channel that can be used by a hostile network to attack a user.
Feedback is solicited, naturally.
Thanks!
A New Internet-Draft is available from the on-line Internet-Drafts
directories.
Title : Blocked Site Alerts for TLS
Author : Ted Lemon
Filename : draft-lemon-tls-blocking-alert-00.txt
Pages : 7
Date : 2016-06-06
Abstract:
Hosts connecting to the Internet should generally be able to connect
to all available services. However, as a matter of policy, need or
preference, some services may be blocked by the network. TLS
correctly treats attempts to communicate the reason for such blockage
to the client as an attack. This memo describes a safe way for hosts
to be notified using the TLS alert mechanism that a connection has
been blocked by the network.
The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-lemon-tls-blocking-alert/
There's also a htmlized version available at:
https://tools.ietf.org/html/draft-lemon-tls-blocking-alert-00
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
