Menu

My1’s Crazy Tech Ideas #01: Integrity header for proxies

Hi everyone, it’s me again (not as if there would be many other options)

I rather often have some pretty crazy Ideas and I kinda want to preserve them and also hear what the people think about them and maybe someone picks them up if they are good.
so let’s start with the first Idea of my set.

Many people probably have heard of middleboxes or company-proxies and other similar things which attempt to “legitimately” play a Man in the Middle (MitM) in internet connections to achieve some sort of goal. While the name of the attack is usually more faced towards the malicious implementations of these, such as stealing passwords and other sensitive data, the word’s meaning obviously means any implementations with something in the middle doing stuff someone may or may not want them to do.

These things have many uses, but one obvious drawback, the full need to trust the proxy and the impossibility to see the connection details of the proxy (e.g. certificate data and whatnot), and that’s where my Idea comes in. with TLS generally a few things are exchanged as signed message upon the server certificate (the website is obviously signed as well, to ensure integrity on top of encryption), my Idea would be that the proxy could stuff these into a header and therefore have a way to tell the client that the proxy didnt modify the site, show the certificate and connection metadata. While the proxy still has the ability to see everything and straight-out block stuff that it doesnt want to get to the clients, it wont be able to modify anymore without screwing the integrity validation.

 

Basically a little bit like DKIM (which can be used to check forwarded E-Mails, but instead made for webservers to check forwarded websites.

 

So, what do you guys think about this?

I hope you read again next time

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.