Re^7: SSL on PerlMonks

Are you asking for proof that https makes it more difficult for web caching? I guess I thought that was self evident, but I forget that maybe not everyone notices or measures such things. I've measured my own cache hit usage off and on for over 15 years, running my own at home. To anyone paying attention to cache hit rates in their browsers across their machines, it should be pretty evident that when you hit a ssl site, you see a start of an ssl session at the beginning of contact, and an end-of-session at the end. You no longer see any individual items to cache.

You have to break apart the ssl stream in order to cache the objects. If you setup your own squid-proxy you'll see this -- nothing subjective about it. That's just for content caching and speedup. Many other private network providers (companies & institutions) want to see what is accessed for purposes of controlling their networks. Blocking the net entirely isn't an option for most such operations. So they go the route of opening the streams.

If they allow people to bring their own devices in, they can easily tell people they need to install a new root-cert to allow for auditing of content to comply with whoever sets regulations & laws for them and that users of the proxy need to be aware that while no one is specifically reading the content of their traffic, they destinations and contact points are logged and anyone accessing sensitive sites might not want to do it on premises.

I've only been on the squid list for about 15 years or more, and its easy to see an uptick in conversations related to SSL bumping and solving related problems. Information in the squid wiki has gets very detailed in how to set things up now due to the number of conversations. I don't think anyone is claiming that this is done "covertly" but it is becoming more "routine".

I can't see who would want to fund a study showing increased https usage is associated with increased SSL bumping, so if you are looking for such stats, you might have to do your own research.

While many people may have been able to use semi-public computers @ libraries and such for https sites 10-20 years ago, now I wouldn't be so sure about privacy. But feel free to regard it as subjective. Everyone has their own level of comfort.

I've seen more than one case of companies and ISP's having root-certs when they, officially, weren't supposed to. In most of those cases, the problematic access was said to have been closed and the problem brushed under the carpet... er, problem solved. Right. And with the US policing agencies having been caught multiple times with their hand in our traffic, you think they are going to have problems copping a root cert these days with every social site using https? Before, when it was 99+% banks and such for users, spying on https traffic might have raised a few more eyebrows, but today?

Comment on Re^7: SSL on PerlMonks

Replies are listed 'Best First'.
Re^8: SSL on PerlMonks by Your Mother (Archbishop) on Sep 27, 2017 at 15:09 UTC
Proof that using more secure technology makes the web less secure. It's completely counter intuitive to me, like saying pouring more water on something makes it drier. So I would like to see some external, objective validation of the assertion instead of anecdote and conjecture.	[reply]
Re^9: SSL on PerlMonks by Anonymous Monk on Sep 27, 2017 at 15:25 UTC
"The more you tighten your grip, the more systems will slip through your fingers." -- Princess Leia	[reply]
Re^9: SSL on PerlMonks by perl-diddler (Chaplain) on Sep 29, 2017 at 22:41 UTC
If using the "more secure" technology results in more "Entities" intercepting and bumping SSL traffic, then security has been lowered. I'm not saying "how much" it is lowered. It's like open-source If you have specific needs or wants, you are welcome to submit your own work. Your attitude feels a bit demanding -- because you don't like that more people are routinely breaking open SSL streams, you want figures on how much. I'd like to see those too -- so if you want to find out and share the information with us, that'd be great! In addition to the uptick in those asking how to do SSL bumping (start w/squid-users list and its archives and view the number asking for how to do it, or look at the squid-cache wiki and see the info on how to set it up and note that it wasn't available 10 years ago. People wouldn't take the time to publish how-to's in a wiki if there was no demand. Five-ten years ago, most of the questions were about how to cache various types of content or block it. Now a fair percentage is related to SSL bumping. If you want exact percentages, you are welcome to peruse the archives or google search for those making mistakes with certs. Dell, for example, installed a root-cert with the private key on all Dell computers that is reinstalled via their update service (https://www.grc.com/sn/sn-535-notes.pdf). Other discussions are going on about whether or not USA certs are trustworthy with the CIA, apparently being caught with more than one suborned root-cert (https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/istISpHpMqE). I've seen articles that talk about companies (including some ISP's) purchasing suborned root-certs for their network/customers. Since https has become more common, more entities have decided to find ways to intercept and crack that traffic. If you want details as to amounts, you are welcome to contribute... You should feel lucky -- it's not like it is a closed-project where you can't contribute.	[reply]
Re^10: SSL on PerlMonks by Your Mother (Archbishop) on Sep 29, 2017 at 23:57 UTC
I find the assertion that the more https traffic goes through the web, the less secure the web is to be in the same realm as “the Earth is flat.” It’s an outrageous assertion from my perspective and requires evidence, not conjecture, or it should be dismissed outright. Consider a corollary to your assertion: If all https traffic were switched to http, the web would be more secure.	[reply]