W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2012

Re: Secure (https) proxy authentification

From: Nicolas Mailhot <nicolas.mailhot@laposte.net>
Date: Sun, 19 Feb 2012 11:22:52 +0100
Message-ID: <4ec05cf797322715a960743aeec0a48b.squirrel@arekh.dyndns.org>
To: squid3@treenet.co.nz
Cc: ietf-http-wg@w3.org
Amos Jeffries writes:
> On 19/02/2012 7:56 a.m., Nicolas Mailhot wrote:
> > (I don't remember the CVE numbers, but every
> > major browser stopped honoring those redirects at about the same time) . So
>
> Ah, that restricted to 302, 300 and unknown 3xx redirects AFAIK, which
> are unsafe or difficult to allow safe auto-redirect for.

Yes, I totally understand the CVE logic, however this change broke most
authenticated proxy setups (and now that enterprises are finally retiring or
replacing ie6 they are stuck)

> Most of the hacks on the wikipedia page are involved with getting the
> packets to the portals proxy software without making the browser aware
> that it exists. Simple proxy auto-configuration avoids all of these
> hacks. They all happen long before HTTP gets a byte in edgewise.

This part does not require browser configuration, and proxy autoconfiguration
can be challenging on a huge corporate network. The main problem right now is
getting browser cooperation to display the authentication form.

> How do you propose HTTP spec updates to solve "users who first use an
> email client or other will find the connection not working without
> explanation"? This being the problem which covers intercepted port 443
> packets for HTTPS portal.

I don't have any bright idea there. Though if people continue migrating to
webmail, that will eventually be academic.

> > I'd really like the working group to define such a standard method. It
> > wouldn't be complex or difficult to implement in browsers, and it would solve
> > many actual problems now.
>
> Do you mean a mechanism like the status 303 (See Other), 305 (Use Proxy)
> and 511 (Network Authentication Required)?

511 is exactly what I need. I was not aware of it. Is it simplemented in any
browser yet? Where should I point the browser writers to get it implemented?

http://tools.ietf.org/id/draft-nottingham-http-new-status-04.txt ?

(except for the part where 511 generates a certificate error)

> Notice how 302 is not in that list despite Wikipedia noting that most
> portals use 302.

Most portals use 302, Bluecoat uses 307, and everyone is getting blocked by
browsers.

305 is useless for my needs as long as the RFC states that:

 Note: RFC 2068 was not clear that 305 was intended to redirect a
      single request, and to be generated by origin servers only.  Not
      observing these limitations has significant security consequences.

Anyway, 511 is much cleaner

> That would seem to be one part of the underlying
> problem. The other part being browsers defaulting to disable WPAD
> support (needed for 303 to work) or treating 303 as 302 including those
> security protections.

The RFC does state:

Note: Many pre-HTTP/1.1 user agents do not understand the 303
      status. When interoperability with such clients is a concern, the
      302 status code may be used instead

Thank you for your help!

BTW : it would be nice if 7.3.6. 7.3.7. 7.4.8. referenced the error 511 (and
if error 511 description included the proxy keyword) or people won't find it.

-- 
Nicolas Mailhot
Received on Sunday, 19 February 2012 10:23:37 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:56 GMT