W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2011

Re: Getting to Last Call

From: Willy Tarreau <w@1wt.eu>
Date: Fri, 30 Dec 2011 07:07:54 +0100
To: "Roy T. Fielding" <fielding@gbiv.com>
Cc: Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>, Peter Saint-Andre <stpeter@stpeter.im>, Adrien de Croy <adrien@qbik.com>
Message-ID: <20111230060754.GC22331@1wt.eu>
Hi,

On Thu, Dec 29, 2011 at 07:55:41PM -0800, Roy T. Fielding wrote:
> On Dec 29, 2011, at 4:44 PM, Mark Nottingham wrote:
> 
> > SHOULD affects conformance. At most, I think we'd add something to the security considerations saying that proxies "ought to" or "are encouraged to."

OK. But UAs are even more encouraged to do so too, as they're the
bigest blocking factor right now.

> FWIW, I consider it to be a security hole for any user agent
> to automatically change the configured proxy authority.

Agreed.

> If
> the user/org wants to connect via TLS, then the user/org should
> configure the proxy with an https URI.

That's what I meant. Basically have the UA add a check box in the
proxy settings "Use TLS to connect to proxy".

> There is no guarantee
> that a proxy on port 443 is controlled by the same org as the
> one on port 80.

It can be even worse: the proxy might be running on port 8080 or
3128 as is often encountered, and automatically detect SSL/TLS vs
HTTP and still not forward the request to the same place.

> OTOH, the spec already allows communication on port 80 to be
> Upgraded to TLS.  No changes are necessary to support that.

Indeed. Not sure it's much deployed though, especially considering
it adds one round trip to the connection setup.

Regards,
Willy
Received on Friday, 30 December 2011 06:08:36 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:51 GMT