Subj : Privacy is Power: tak
To   : Sean Dennis
From : Arelor
Date : Thu Sep 09 2021 09:56:40

  Re: Privacy is Power: tak
  By: Sean Dennis to Kurt Weiske on Wed Sep 08 2021 03:10 pm

 > Not to sound obtuse but why?  That violates the security priciples I know.
 > Why not inspect the packets before the SSL layer?  Is there a genuine
 > technical reason for doing something so stupid?
 > 

Many reasons. The main one is that many browsers request https URLs by default
and there is not such a thing as https->http redirection without breaking
https.

For example, if you use Chriomium and ask it to visit richardfalken.com, it
will try to connect to https://richardfalken.com and fail if
richardfalken.com:443 is not reachable and has a valid certificate.

Then there is the fact a lot of people is using HSTS in order to enforce
TLS/SSL use from the server itself. If you use a laptop at home and connect to
https://bank.com, you will get "infected" by an hsts directive that mandates
your browser to use https with bank.com for a given amount of time (maybe
days). If you then come to my network with your laptop and try to connect to
bank.com, the browser will refuse to use anything other than https.

From an administrative point of view it is just simpler to let the browser
connect as it wants and just break its TLS as necessary.

It is ugly and insecure, but if you want something sane you should not be using
the web to start with.

--
gopher://gopher.richardfalken.com/1/richardfalken
--- SBBSecho 3.14-Linux
 * Origin: Palantir * palantirbbs.ddns.net * Pensacola, FL * (618:250/24)

.