Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consider using cloudflare/MITMengine for MITM detection #2530

Closed
mholt opened this issue Mar 18, 2019 · 3 comments
Closed

Consider using cloudflare/MITMengine for MITM detection #2530

mholt opened this issue Mar 18, 2019 · 3 comments
Labels
declined 🚫 Not a fit for this project feature ⚙️ New feature or request

Comments

@mholt
Copy link
Member

mholt commented Mar 18, 2019

1. What would you like to have changed?

Right now, Caddy's MITM detection logic is its own. It can be difficult to maintain in the long run and it is hard to be comprehensive with regards to everything that there is to detect.

Cloudflare just released an open source MITM detector based on the same paper that Caddy's MITM logic is derived from. Rather than duplicate the (complex) logic, we can adopt it.

2. Why is this feature a useful, necessary, and/or important addition to this project?

It prevents code duplication and reduces maintenance burden. Cloudflare's logic is more comprehensive than Caddy's current PoC.

3. What alternatives are there, or what are you doing in the meantime to work around the lack of this feature?

n/a

4. Please link to any relevant issues, pull requests, or other discussions.
@mholt mholt added the feature ⚙️ New feature or request label Mar 18, 2019
@abiosoft
Copy link

I can work on this, as long as it is not super urgent.

@mholt
Copy link
Member Author

mholt commented Mar 19, 2019

It's important, but definitely not urgent. Go for it!

@mholt mholt added this to the 2.0 milestone May 9, 2019
@francislavoie francislavoie mentioned this issue Mar 27, 2020
Closed
@mholt mholt mentioned this issue Jun 5, 2020
Closed
@francislavoie francislavoie mentioned this issue Aug 23, 2020
Closed
@mholt
Copy link
Member Author

mholt commented Sep 14, 2022

Having watched the TLS space closely for the last several years, I'm inclined to suggest this feature may hold less and less utility as time goes on.

Clients are becoming more uniform, anti-fingerprinting countermeasures are being employed, and User-Agent strings are going away. There may be other ways to accurately detect MITM from the server perspective, but I don't know what they are. I feel like the current methodology will be less useful as time goes on. False positives will likely grow and grow.

Caddy's MITM detection was an inspiration or basis for Cloudflare's eventual implementation (as their blog post above cites), and I'm pleased with that. I just don't think that re-integrating this into Caddy is worth my time right now.

I have also had precisely 0 requests for this in the years since Caddy 2 was released (which doesn't have MITM detection). Even if I did hear a "that'd be cool", I would probably only be convinced to integrate this if there was a very compelling use case or a sponsor who needed this.

So, it's still on the table. But it is not planned anymore, so I'm closing this issue.

@mholt mholt closed this as not planned Won't fix, can't repro, duplicate, stale Sep 14, 2022
@mholt mholt added the declined 🚫 Not a fit for this project label Sep 14, 2022
@mholt mholt removed this from the 2.x milestone Sep 14, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
declined 🚫 Not a fit for this project feature ⚙️ New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@abiosoft @mholt