<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style>
</head>
<body lang="EN-US" link="blue" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal">Much like HSTS; Expect-CT is starting to be deployed too (this replaces certificate pinning).</p>
<p class="MsoNormal"><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT">https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT</a><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">This will prevent users from accessing sites that are signed by a certificate that does not appear in the public transparency logs…<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The best option – if this is truly to be used for emergency communications – is to try the proposed FCC path.</p>
<p class="MsoNormal"><o:p> </o:p></p>
<div style="mso-element:para-border-div;border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal" style="border:none;padding:0in"><b>From: </b><a href="mailto:Bryan@bryanfields.net">Bryan Fields</a><br>
<b>Sent: </b>Friday, August 16, 2019 6:28 PM<br>
<b>To: </b><a href="mailto:psdr@hamwan.org">psdr@hamwan.org</a><br>
<b>Subject: </b>Re: [HamWAN PSDR] Idea for addressing HTTPS on HamWAN</p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">On 8/16/19 3:56 PM, John C. Miller wrote:<br>
> I say that SSL-Split *was* initially fairly simple, because in the 10 years<br>
> since its creation a variety varied steps have been taken by browser<br>
> developers and web engineers to force encryption to be used for all web<br>
> traffic. But the developers of SSL-Split have evolved the program<br>
> considerably and have kept pace to a large extent with current technology.<br>
> The latest version of SSL-Split is much more powerful than early versions,<br>
> with the capability of (among other things) essentially creating x.509<br>
> security certificates on the fly when needed, refusing certificate<br>
> revocation status requests, bypassing HSTS, and other tactics that can<br>
> neutralize the "forced https/encrypted" policies in wide use><br>
> The power of SSL-Split to convert web data streams from http to https and<br>
> back is a central piece of the strategy that I'm examining. In the use<br>
> case for HamWAN, we are using tools like SSL-Split not as an attack weapon,<br>
> but rather as a data conversion utility. We insert our "conversion server"<br>
> running SSL-Split and other tools into the appropriate place on the<br>
> network, and let it do data stream conversion for us.<br>
<br>
So question, why not just have it re-encrypt with a well known hamwan cert on<br>
the proxy. You can have the clients install this and trust it. It does take<br>
some work, but it gets around the major issues. Technically the data is still<br>
encrypted but if you publish the private keys, anyone can decrypt it. Part 97<br>
is mostly concerned with the intent of hiding your communications. If you use<br>
encryption with a published key, it's for authentication and "kosher".<br>
<br>
Perhaps logging some flow data on SSL would be a good compromise on this too.<br>
<br>
-- <br>
Bryan Fields<br>
<br>
727-409-1194 - Voice<br>
<a href="https://eur02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fbryanfields.net&data=02%7C01%7C%7C005798704b674c2808b308d722b22b46%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637016020942378053&sdata=r90o1dke2vqpIvFroz8%2BnmYZvg2aV17w5n0%2B%2FAANWag%3D&reserved=0">https://eur02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fbryanfields.net&data=02%7C01%7C%7C005798704b674c2808b308d722b22b46%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637016020942378053&sdata=r90o1dke2vqpIvFroz8%2BnmYZvg2aV17w5n0%2B%2FAANWag%3D&reserved=0</a><br>
_______________________________________________<br>
PSDR mailing list<br>
PSDR@hamwan.org<br>
<a href="https://eur02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fmail.hamwan.net%2Fmailman%2Flistinfo%2Fpsdr&data=02%7C01%7C%7C005798704b674c2808b308d722b22b46%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637016020942388058&sdata=kyyBi3y08Jz43mjZIEoieZXFzWdsrmVWaeLmQ2DwshM%3D&reserved=0">https://eur02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fmail.hamwan.net%2Fmailman%2Flistinfo%2Fpsdr&data=02%7C01%7C%7C005798704b674c2808b308d722b22b46%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637016020942388058&sdata=kyyBi3y08Jz43mjZIEoieZXFzWdsrmVWaeLmQ2DwshM%3D&reserved=0</a><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>