W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2012

Re: Secure (https) proxy authentification

From: Nicolas Mailhot <nicolas.mailhot@laposte.net>
Date: Sun, 19 Feb 2012 11:22:52 +0100
Message-ID: <4ec05cf797322715a960743aeec0a48b.squirrel@arekh.dyndns.org>
To: squid3@treenet.co.nz
Cc: ietf-http-wg@w3.org
Amos Jeffries writes:
> On 19/02/2012 7:56 a.m., Nicolas Mailhot wrote:
> > (I don't remember the CVE numbers, but every
> > major browser stopped honoring those redirects at about the same time) . So
> Ah, that restricted to 302, 300 and unknown 3xx redirects AFAIK, which
> are unsafe or difficult to allow safe auto-redirect for.

Yes, I totally understand the CVE logic, however this change broke most
authenticated proxy setups (and now that enterprises are finally retiring or
replacing ie6 they are stuck)

> Most of the hacks on the wikipedia page are involved with getting the
> packets to the portals proxy software without making the browser aware
> that it exists. Simple proxy auto-configuration avoids all of these
> hacks. They all happen long before HTTP gets a byte in edgewise.

This part does not require browser configuration, and proxy autoconfiguration
can be challenging on a huge corporate network. The main problem right now is
getting browser cooperation to display the authentication form.

> How do you propose HTTP spec updates to solve "users who first use an
> email client or other will find the connection not working without
> explanation"? This being the problem which covers intercepted port 443
> packets for HTTPS portal.

I don't have any bright idea there. Though if people continue migrating to
webmail, that will eventually be academic.

> > I'd really like the working group to define such a standard method. It
> > wouldn't be complex or difficult to implement in browsers, and it would solve
> > many actual problems now.
> Do you mean a mechanism like the status 303 (See Other), 305 (Use Proxy)
> and 511 (Network Authentication Required)?

511 is exactly what I need. I was not aware of it. Is it simplemented in any
browser yet? Where should I point the browser writers to get it implemented?

http://tools.ietf.org/id/draft-nottingham-http-new-status-04.txt ?

(except for the part where 511 generates a certificate error)

> Notice how 302 is not in that list despite Wikipedia noting that most
> portals use 302.

Most portals use 302, Bluecoat uses 307, and everyone is getting blocked by

305 is useless for my needs as long as the RFC states that:

 Note: RFC 2068 was not clear that 305 was intended to redirect a
      single request, and to be generated by origin servers only.  Not
      observing these limitations has significant security consequences.

Anyway, 511 is much cleaner

> That would seem to be one part of the underlying
> problem. The other part being browsers defaulting to disable WPAD
> support (needed for 303 to work) or treating 303 as 302 including those
> security protections.

The RFC does state:

Note: Many pre-HTTP/1.1 user agents do not understand the 303
      status. When interoperability with such clients is a concern, the
      302 status code may be used instead

Thank you for your help!

BTW : it would be nice if 7.3.6. 7.3.7. 7.4.8. referenced the error 511 (and
if error 511 description included the proxy keyword) or people won't find it.

Nicolas Mailhot
Received on Sunday, 19 February 2012 10:23:37 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:00 UTC