- From: Willy Tarreau <w@1wt.eu>
- Date: Fri, 30 Dec 2011 07:07:54 +0100
- To: "Roy T. Fielding" <fielding@gbiv.com>
- Cc: Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>, Peter Saint-Andre <stpeter@stpeter.im>, Adrien de Croy <adrien@qbik.com>
Hi, On Thu, Dec 29, 2011 at 07:55:41PM -0800, Roy T. Fielding wrote: > On Dec 29, 2011, at 4:44 PM, Mark Nottingham wrote: > > > SHOULD affects conformance. At most, I think we'd add something to the security considerations saying that proxies "ought to" or "are encouraged to." OK. But UAs are even more encouraged to do so too, as they're the bigest blocking factor right now. > FWIW, I consider it to be a security hole for any user agent > to automatically change the configured proxy authority. Agreed. > If > the user/org wants to connect via TLS, then the user/org should > configure the proxy with an https URI. That's what I meant. Basically have the UA add a check box in the proxy settings "Use TLS to connect to proxy". > There is no guarantee > that a proxy on port 443 is controlled by the same org as the > one on port 80. It can be even worse: the proxy might be running on port 8080 or 3128 as is often encountered, and automatically detect SSL/TLS vs HTTP and still not forward the request to the same place. > OTOH, the spec already allows communication on port 80 to be > Upgraded to TLS. No changes are necessary to support that. Indeed. Not sure it's much deployed though, especially considering it adds one round trip to the connection setup. Regards, Willy
Received on Friday, 30 December 2011 06:08:36 UTC