Another attempt to split SSL into encryption and trust

November 11, 2008

From one perspective, ideally SSL would be split apart into encryption and trust, with the goal of letting you have encryption without trust. In theory you could achieve this with a different handling of https, but lately I have come to think that the user expectation problems of such a solution are insurmountable at this point; too many people just know what https in URLs means for its meaning to change (in a subtle way).

(My personal feeling is that it is pointless and even undesirable to go the other way and try to have trust without encryption.)

So, let's take as given an axiom: if it has https: visible in the URL it must have trust, not just encryption. Thus, however a split works, the SSL encryption must appear to use a http: URL as far as the user sees (and as far as Javascript sees). While SSL is client-initiated and thus servers could accept it on regular HTTP ports, the client browser can't just blindly try it with strange web servers, since it would be a protocol error (and make people unhappy when it showed up in their logs).

(The client browser cannot just quietly try making an https request instead of an http one, because even if it exists there's no certainty that a server's https website supports the same URLs with the same meanings as the http website does.)

If we're willing to accept that the first HTTP request to a web server won't be encrypted, we can have the server signal clients that it supports direct SSL on the normal HTTP port by adding an appropriate new HTTP header to its reply. Cooperative clients would then do SSL on subsequent connections. (Clients that want all real requests to a new web server to be encrypted if possible can try a small dummy request, perhaps 'HEAD /', before their first real request.)

One downside of this is that it would probably have terrible effects on the effectiveness of any intermediate caching proxies, especially transparent ones (at least until the proxies were updated to understand the scheme and either strip out the header or implement the scheme).

(Properly implemented it should not malfunction in the presence of an uncooperative proxy; the client browser would try once to do 'SSL over HTTP', fail, and fall back to ordinary HTTP.)


Comments on this page:

From 60.234.141.149 at 2008-11-11 01:33:59:

Is this not what RFC 2817 (Upgrading to TLS within HTTP/1.1) is all about? It has an "Connection: upgrade" header, and "101 Switching protocols" or "426 Upgrade required" reply from the server. -- Perry Lorier

By cks at 2008-11-11 08:29:13:

I learn something new all the time. You're right; this is more or less RFC 2817. The drawback I see to RFC 2817 is that it is explicitly a per connection thing, so you have to make a dummy request every time you do subsequent connections for more requests to the same site.

(There seems to be a bunch of opposition to RFC 2817, but most of what I've read on a quick skim is from people who want it to carry trust as well as opportunistic encryption, eg the discussion here. I agree that it fails for that for precisely the reason that I like the general idea.)

Written on 11 November 2008.
« Exploiting the Bourne shell to parse configuration files
Why not doing Unicode is easier than doing Unicode in Python »

Page tools: View Source, View Normal, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Tue Nov 11 00:42:40 2008
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.