W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2012

Re: Secure (https) proxy authentification

From: Willy Tarreau <w@1wt.eu>
Date: Thu, 16 Feb 2012 18:44:00 +0100
To: Nicolas Mailhot <nicolas.mailhot@laposte.net>
Cc: ietf-http-wg@w3.org
Message-ID: <20120216174400.GD22315@1wt.eu>
On Thu, Feb 16, 2012 at 03:36:47PM +0100, Nicolas Mailhot wrote:
> Hi,
> 
> Now that browsers have started refusing redirection of https sessions, there
> is no clean way for a proxy to point browsers to an https authentication
> portal when they need to be authenticated or re-authenticated.
> 
> The 407 error must be extended to indicate the https proxy authentication
> portal location to handle the cases where it is not desirable to have proxy
> auth transmitted in clear, and clients are too dumb to support anything more
> complex than basic auth over http or https.
> 
> (the other ???solution??? is DPI, but that's not really appealing except to proxy
> aplicance manufacturers)

Well, this is one more reason for urging all browser vendors to support
proxying over https. This will put an end to this redirection madness
which prevents most HTTP agents from working in such environments (eg:
firefox cannot even update itself at a customer's due to such proxies,
so everyone uses outdated versions until they decide to download the full
image again).

Regards,
Willy
Received on Thursday, 16 February 2012 17:44:32 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:56 GMT