Re: protocol support for intercepting proxies from Henrik Nordstrom on 2007-06-17 (ietf-http-wg@w3.org from April to June 2007)

From: Henrik Nordstrom <henrik@henriknordstrom.net>
Date: Mon, 18 Jun 2007 01:21:16 +0200
To: Adrien de Croy <adrien@qbik.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <1182122476.20393.18.camel@henriknordstrom.net>

mån 2007-06-18 klockan 10:23 +1200 skrev Adrien de Croy:

> Given that the problem is not going to go away because people are not 
> going to want to stop using intercepting proxies, wouldn't it be better 
> if there was some proper protocol support for the concept?

Big fat no from this proxy vendor (Squid). Interception and
Authentication does not mix, and should not mix.

What would be better is a standardized proxy discovery mechanism. WPAD
isn't far from that today, and complemented with a DNS SRV profile it's
fairly complete for all uses..

And perhaps some way for local networks to tell clients that proxies
MUST be used.

Doing this in HTTP is just dangerous. Switching to using proxies should
not be taken lightly as there is security and privacy concerns. Doing so
in response to messages from random servers without any chain of trust
to the client is just plain wrong.

What could reasonably be done in this area using HTTP interception is an
error indication which hints the client that it should go and look for a
proxy if it want's to gain Internet access. But not which proxy. That
needs to be discovered with some mechanism where there is a reasonable
chain of trust already established.

> UAs at the moment don't generally know if their connections are being 
> intercepted.  If they knew, then they could;
> 
> * let the user know connections were being intercepted
>     - ameliorates issues relating to privacy
>     - helps users decipher errors better (i.e. upstream connection failure)
>     - leads towards possible user-control over whether their traffic may 
> be intercepted or not

This is already in the specs thanks to the Via header.

> * cooperate better with the proxy.
>     - move to a proxy-oriented protocol operation (can fix many issues, 
> such as auth)
>     - deal with errors differently

And this is covered by WPAD (even if just Informal today..).

And without WPAD the UA could in theory extract what it needs from Via
to switch to proxy operation if desired, provided the proxy actually
adds what it is required to add to the Via, but doing so would be a
security nightmare due to the completely missing chain of trust.

Also many doing interception don't want their proxy to send Via because
they don't want to tell the user which proxy intercepted the request.
Quite many admins doing the interception dance even asks if it's
possible to completely hide any proxy generated error messages etc,
making things always behave as if the proxy wasn't there..

Regards
Henrik

Received on Sunday, 17 June 2007 23:21:36 UTC