If you own the client and the proxy its still possible. Install a controlled roo... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

donavanm on Nov 13, 2013 | parent | context | favorite | on: Moving forward on improving HTTP's security

If you own the client and the proxy its still possible. Install a controlled root cert on the clients. On the proxy dynamically create & sign certs for each domain the client requests. Present these false certs to the clients connection. On the "north" end the proxy is now responsible for verifying the remote cert chains etc. Proxy has access to all the bytes, programmatic clients succeed in auth, human clients have a green check box in the browser. Totally doable today. I think some of the commercial appliances even do this for you.

sp332 on Nov 13, 2013 [–]

Instead of dynamic creation, could you sign a wildcard cert that covers everything?

donavanm on Nov 14, 2013 | [–]

I suppose so, or maybe *.tld? Im thinking it would depend on your clients behavior. Clients dont go to that many unique fqdns, dynamic creation + caching should quite achievable.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact