@techreport{huitema-tls-tlsoverhttp-00,
    number =    {draft-huitema-tls-tlsoverhttp-00},
    type =      {Internet-Draft},
    institution =   {Internet Engineering Task Force},
    publisher = {Internet Engineering Task Force},
    note =      {Work in Progress},
    url =       {https://datatracker.ietf.org/doc/draft-huitema-tls-tlsoverhttp/00/},
    author =    {Christian Huitema},
    title =     {{TLS over HTTP}},
    pagetotal = 8,
    year =      2015,
    month =     mar,
    day =       9,
    abstract =  {We observe that attacks against HTTPS are getting more and more popular. The attacks typically exploit weaknesses in PKI certificate verification software. These weaknesses allow a third party to insert itself as a Man-In-The-Middle in a TLS connection, accessing the content of messages that were previously encrypted and in some case changing these messages. TLS over HTTP allows clients and servers to carry a TLS conversation on top of HTTP, and thus bypass the man-in-the-middle attackers. Different deployment models are possible, e.g., HTTP over TLS over HTTP, application-layer-protocol over TLS over HTTP, or HTTP over TLS over HTTP over TLS. The proposed solution allows for reuse of the existing TLS implementation, thus minimizing the development costs and risks. It includes an optional obfuscation layer, to maximize the likelihood of working unnoticed by firewalls and other MITM boxes.},
}