Re: What will incentivize deployment of explicit proxies? from Willy Tarreau on 2013-12-03 (ietf-http-wg@w3.org from October to December 2013)

From: Willy Tarreau <w@1wt.eu>
Date: Tue, 3 Dec 2013 10:02:07 +0100
To: "William Chan (?????????)" <willchan@chromium.org>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <20131203090207.GA22628@1wt.eu>

Hi William,

On Mon, Dec 02, 2013 at 11:37:33PM -0800, William Chan (?????????) wrote:
> Pardon me if this is obvious, but it's not immediately obvious to me what
> will cause people to use explicit proxies instead of MITM proxies? Who is
> going to deploy them? The 2 cases I can think of are:
> 
> (1) People who are using HTTP interception ("transparent") proxies
> (2) People who are already using SSL MITM proxies

(...)

There are several use cases. First, explicit proxies commonly require
authentication. This cannot be *cleanly* done using MITM, you generally
have to hack with cookies and redirects, and it's often not compatible
with a number of browser plug-ins or even software updates.

Second, you forget one growing deployment case which is the external
filtering proxy. Many companies provide this nowadays. Zscaler is one
of them, but I'm also seeing small companies order such services for
internal use and propose them to their employees for free to use from
home, simply because that helps them protect their PC against malware.
Again here we're talking only about explicit proxies, since there's
nothing on the network between the browser and the origin server.

Third, a long time ago when the internet started to reach joe user,
all ISPs provided some connection kits which pre-configured their
local proxies in the browser. The goal was to save on bandwidth costs.
This disappeared when ISP's bandwidth became much larger than what they
offer to their customers. But in mobile environments there's still a
benefit for this : you save the DNS round trip, and I'm quite sure
that if explicit proxies could be used safely, they would be more
commonly used in mobile environments because you can typically save
about 1 second in an average page load time due to the many hosts on
a page (interestingly, domain sharding has hurt page load time there).

Then you have anonymizers that some people use for whatever reason
(paranoia, illegal activities, political reasons, etc...).

I expect that use of explicit proxies will significantly raise after
adoption of proxies over TLS because one of the problem explicit
proxies are currently facing is the lack of confidentiality when used
in clear (eg: CONNECT host:port, SNI in clear text, credentials in
clear text).

Hoping this helps,
Willy

Received on Tuesday, 3 December 2013 09:02:32 UTC