W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: Explicit Proxy [was: A proposal]

From: Adrien de Croy <adrien@qbik.com>
Date: Wed, 20 Nov 2013 02:26:56 +0000
To: "Mark Nottingham" <mnot@mnot.net>
Cc: "HTTP Working Group" <ietf-http-wg@w3.org>
Message-Id: <em519d1190-4e38-40ea-a202-65f020bfdb96@bodybag>

proxy discovery could almost deserve its own issue.

A long time ago 305 Use Proxy was deprecated (and apparently it wasn't 
implemented anyway by UA authors).

Personally I think it (or something similar) could have been useful in a 
restricted (trusted) environment to force a browser to use a proxy that 
they weren't going to get anywhere without using.

out of band approaches really are not reliable like a forced 
interception based approach could be.  WPAD is a complete mess, and 
there are so many links in the chain that it's flaky.  An administrator 
has to be coached to

* configure DHCP option 252
* configure DNS
* configure a script file to serve
* configure clients to use auto proxy detection

On the other hand, if a proxy could just intercept port 80, check if the 
request looked like a proxy one or not, if it didn't then bounce with a 
response that got the UA to present a dialog to the user saying 
something like

"the proxy at x.x.x.x asserts that you must use it to access the 
internet, do you wish to proceed"

Then that would be the end of it.  Oviously this could be improved on, 
and maybe it would be a page.  Methods to establish the true origin of 
that requirement could also be put in, to protect against using this 
upstream of the corporate gateway.

Or alternatively this could just trigger the browser to start a proxy 
discovery process.

This would resolve the problem with visiting devices as well.

This issue has been discussed before, but are we the people to deal with 
it?  If it is dealt with in the protocol, then we are.

Adrien



------ Original Message ------
From: "Mark Nottingham" <mnot@mnot.net>
To: "Willy Tarreau" <w@1wt.eu>
Cc: "HTTP Working Group" <ietf-http-wg@w3.org>; "Roy Fielding" 
<fielding@gbiv.com>; "Stephen Farrell" <stephen.farrell@cs.tcd.ie>; 
"Poul-Henning Kamp" <phk@phk.freebsd.dk>; "Mike Belshe" 
<mike@belshe.com>
Sent: 20/11/2013 3:07:46 p.m.
Subject: Explicit Proxy [was: A proposal]
>Hi Willy,
>
>On 20/11/2013, at 12:41 PM, Willy Tarreau <w@1wt.eu> wrote:
>>
>>  So let's loop back to one of the very old points about tls+auth for
>>  proxies. This will significantly improve the ability to use 
>>anonymisers
>>  and to use them safely. Without even the SNI or destination address
>>  being useful (right now the SNI is carried over clear text even
>>  through proxies).
>>
>>  That way we can have end users safely connect to well known 
>>anonymisers
>>  without anyone being able to get anything from that conversation, to
>>  the same extents as what the pro-TLS guys expect from full TLS to
>>  servers.
>>
>>  I know it has been discussed many times in the past, but let's bring
>>  that again on the table so that "people don't die anymore". Secure,
>>  trusted proxies are *the* solution to solve the privacy issues that
>>  make some people insist so much on having TLS. Let's just have it
>>  towards the right place.
>
>
>Explicit proxy is tracked here: 
><https://github.com/http2/http2-spec/issues/316>.
>
>I've heard a significant amount of interest in this, especially at and 
>after Vancouver, and think we'll see more proposals soon.
>
>Cheers,
>
>
>--
>Mark Nottingham http://www.mnot.net/
>
>
>
>
Received on Wednesday, 20 November 2013 02:26:42 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:19 UTC