W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: Yet another trusted proxy suggestion

From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Date: Thu, 28 Nov 2013 11:46:08 +0000
Message-ID: <52972D00.4040306@cs.tcd.ie>
To: Yoav Nir <synp71@live.com>, HTTP Group <ietf-http-wg@w3.org>

Hiya,

Cutting out lots of bits...

On 11/28/2013 11:15 AM, Yoav Nir wrote:
> On 28/11/13 11:37 AM, Stephen Farrell wrote:
[...]
> With this proposal they can enforce their policy, allowing users to
> connect without a proxy, and not allowing them to connect with it. Seems
> like a positive to me.

You're saying that basically a bank with a policy of not agreeing
to expose their customers' credentials to proxies (or with a
regulator who imposes such a policy) would have to turn off
Internet banking for any customer behind such a proxy who uses
HTTP/2.0.

I've no real clue, but I'd worry that'd be a major dis-incentive
for deploying HTTP/2.0 for such a bank. (Is there even a good
way to fall back to HTTP/1.1 in such a case?)

Doesn't that mean that the wg need to know whether or not the
above speculation is real or not before any particular proxy
solution could be adopted? (Or before someone takes the risk
of being burned as you put it:-)

> Having this option on the table may allow (in the far future) browsers
> to stop scaling back security in the presence of MitM proxies.

Yes, current MITM attack boxes are worse. But doing the right
thing of exposing the proxy to the web site might well mean
giving some sites a choice that requires them to not use
HTTP/2.0.

There are real and hard conflicts here between the enterprise
desire to scan stuff and the web site desire for e2e security
and both need to be properly considered.

S.
Received on Thursday, 28 November 2013 11:46:33 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:20 UTC