On 01/04/12 18:43, Antoine Musso wrote:
Le 01/04/12 12:55, Petr Bena wrote:
I see no point in doing that. Https doesn't support caching well and is generally slower. There is no use for readers for that.
HTTPS has nothing to do with caching, it just transports informations between the client and the server so they can actually handle caching.
HTTPS supports caching as well as HTTP since they are exactly the same protocol, the first just being encrypted.
There would be a small difference if you're behind a caching proxy, but that's unlikely to make a difference to pretty much everyone.
I do agree there is probably no use for readers to have HTTPS enabled. If the purposes is to bypass countries firewall such as in China (or I think Thailand), they will just intercept the HTTPS connection form the server on their hardware, decypher it for analysis and resign the content with their own certificate before sending it back to clients.
Note that such approach would yield a certificate, which if stored during the attack and later published, is a proof of their evil-doing. Any CA willingly doing that (even if "forced by the government") would (should) be immediately revoked from the browsers certificate bundles.
(I believe such interposition has been done in the past, though)
That is exactly what you do in a big company when you want to make sure (as an example) that your employee do not use the chat function in Facebook.
A company can install its own CA certificate in their own computers, and have a policy of "we will sniff everything" (note that if the employee is not conveniently informed of that, the wiretapping could well be illegal). I wonder how they handle self-signed certificates.