On Oct 24, 2017, at 3:59 PM, Ted Lemon <mel...@fugue.com> wrote: > On Oct 24, 2017, at 3:54 PM, David A. Cooper <david.coo...@nist.gov > <mailto:david.coo...@nist.gov>> wrote: >> There are already middleboxes on the market today that do this. They work >> for all outgoing connections and don't require any cooperation whatsoever >> from the outside servers that the clients are trying to connect to, and only >> expert users would notice the presence of the MiTM. > > They are also quite expensive because they have to generate certs on the fly. > If you look at environments where these are in use, they tend to be either > high-margin, or else low-use. So e.g. you only redirect TLS connections > that you absolutely need to intercept through the box; other connections are > terminated normally. Practically speaking, I don't see any cash-strapped > school spending money on one of these devices.
BTW, if you find this argument unconvincing, consider why these boxes aren't being proposed for use as an alternative to draft-rhrd-tls-tls13-visibility-00. :)
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
