[mythtv-users] Open Failed: No suitable proxy found

Fri Mar 2 15:45:13 UTC 2018

On Sat, 2018-03-03 at 03:53 +1300, Stephen Worthington wrote:
> 
> But you were talking about proxying an HTTPS URL.

I assume you mean "not" above.  And sure, maybe one URL was http and
not https, but that is just one example.  Proxy support has to work for
all URLs, not just select ones.

> And it is possible
> to proxy HTTPS properly - you have use a proxy that has a proper
> certificate and load that certificate into your certificate store.

I don't consider launching MitM attacks on my users "proper".  

> Since you are doing the man-in-the-middle
> yourself, with proper certificates, the other end does not have any
> problems with the connection and you are not creating a security
> risk.

Except that every client that comes into my network needs to install my
CA-impersonating certificate and (some) systems will complain about
having "untrusted" certificates installed:

https://www.howtogeek.com/198811/ask-htg-whats-the-deal-with-androids-persistent-network-may-be-monitored-warning/

I don't want to train my users to ignore security warnings.

On another note, what a MitM-transparent-proxy is actually doing is
impersonating a trusted CA due to one particular weakness of the CA
system which is that any CA can generate any certificate for any domain
name.  I am sure you have seen the many stories in the news about this
happening and the repercussions to the security of SSL (in general) due
to it.  It is understood as a serious enough problems that CAs lose
their "trustworthiness" because of it and end up going out of business.

But also the point of the seriousness of it is that there are solutions
to the problem in general underway.  Certificate pinning was thought to
be a solution but is being deprecated, but is still out there, in
Chrome and other browsers for at least the near future.  In it's place
is Certificate Transparency which achieves the same goal of alerting
users to CA impersonation.  MitM-transparent-proxy is going to trigger
certificate pinning an certificate transparency warnings/errors. 
Again, not wanting to train my users to ignore such warnings.

The bottom-line is that I am not really interested in the rigmarole of
transparent proxies and would just like systems configured to use
proxies to actually work.  I suspect that in the case of MythBE (and
QT) systems this is just not going to happen.

I have actually been re-considering the value of a proxy in my network
with the ever-increasing movement towards HTTPS.  This might just be another vote in the "trash it" column.

Cheers,
b.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: This is a digitally signed message part
URL: <http://lists.mythtv.org/pipermail/mythtv-users/attachments/20180302/52b78690/attachment.sig>