Peace, On Thu, Jul 30, 2020, 4:39 PM Salz, Rich <rs...@akamai.com> wrote:
> We have a product, site shield, that customers can use to limit the IP > addresses of who can reach their origin server. Everyone else is blocked.. > Some use that to make sure that *only* Akamai servers will talk to them, > and that everything else goes through us. Is that a proxy? How is it > different from terminating TLS in the DMZ and sending it inside? How does > the client know? > I don't know, and this *is* the problem. I may be connecting to the service from a network I don't trust with my information, and I have (almost) no tool to tell me whether it is served from a different network via a secure connection *or* it is served from an edge node deployed *in the same network I don't trust*, that node being connected to the service through an unauthenticated channel. Like in [1], where this unauthenticated channel is being marketed as "end-to-end encryption". This approach basically defies all the end-to-end encryption efforts. When it comes to static content, with all the JS security implemented, this is mostly fine. Dynamic content is a very different story. [1] https://support.cloudflare.com/hc/en-us/articles/200170416-End-to-end-HTTPS-with-Cloudflare-Part-3-SSL-options -- Töma >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls