TLS filtering alerts

Talk about code development, features, specific bugs, enhancements, patches, and similar things.
Forum rules
Please keep everything here strictly on-topic.
This board is meant for Pale Moon source code development related subjects only like code snippets, patches, specific bugs, git, the repositories, etc.

This is not for tech support! Please do not post tech support questions in the "Development" board!
Please make sure not to use this board for support questions. Please post issues with specific websites, extensions, etc. in the relevant boards for those topics.

Please keep things on-topic as this forum will be used for reference for Pale Moon development. Expect topics that aren't relevant as such to be moved or deleted.
Falna
Astronaut
Astronaut
Posts: 511
Joined: 2015-08-23, 17:56
Location: UK / France

TLS filtering alerts

Unread post by Falna » 2016-04-22, 12:16

In connection with this thread https://forum.palemoon.org/viewtopic.php?f=26&t=10239&start=20#p83696, I was interested to read that researchers X. de Carné de Carnavalet and M. Mannan include 'Recommendations for browser manufacturers' on page 13 of their report Killed by Proxy: Analyzing Client-end TLS Interception Software (https://madiba.encs.concordia.ca/~x_dec ... ss2016.pdf), saying (in slightly cut-down form):
  • As TLS filtering obviously breaks end-to-end security, we recommend a few additional active roles for browsers, specifically, to reduce harm from broken proxies. For example, browsers can warn users when a root certificate is inserted to a browser-specific trusted store (e.g., the Firefox store), or when filtering is active (e.g., via a warning page, once in each browsing session); connections via proxies may also be contingent upon user confirmation. At least, browsers should make active filtering apparent to users through security indicators.

    Note that browsers can easily detect the presence of proxies, e.g., from the received proxysigned certificate, and recent browsers already accommodate several UI indicators, to show varying levels of trust in a given TLS connection. Recently, Ruoti et al. surveyed user attitudes toward traffic inspection, and reported that users are generally concerned about TLS proxies; 90.7% of participants expected to be notified when such proxying occurs (https://isrl.byu.edu/pubs/ruoti2016at.pdf).
Seems a good idea to me.

Forked extensions :
● Add-ons Inspector ● Auto Text Link ● Copy As Plain Text ● Copy Hyperlink Text ● FireFTP button replacement ● gSearch Bar ● Navigation Bar Enhancer ● New Tab Links ● Number Tabs ● Print Preview Button and Keyboard Shortcut 2 ● Scrollbar Search Marker ● Simple Marker ● Tabs To Portfolio ● Update Alert ● Web Developer's Toolbox ● Zap Anything

Hint: If you expect a reply to your PM, allow replies...

Locked