Re: What will incentivize deployment of explicit proxies?

Oops, sorry I missed this in my FIFO. My bad.

On Tue, Dec 3, 2013 at 2:34 AM, Salvatore Loreto <
salvatore.loreto@ericsson.com> wrote:

>
> On Dec 3, 2013, at 9:37 AM, William Chan (陈智昌) <willchan@chromium.org>
> wrote:
>
> > Pardon me if this is obvious, but it's not immediately obvious to me
> what will cause people to use explicit proxies instead of MITM proxies?
>
> you have also an answer to the question below in your own mail.
>
> I would prefer to use explicit proxies, because at least I become
> conscious that there is some box in between me and the content provider.
>

When you say "I" here, you mean yourself as an end user, right? So, does
this mean you want a UI indicator of some sort? Can you explain how this
would work? I suspect Chromium would have an issue with that due to the
discussion in this bug thread:
https://code.google.com/p/chromium/issues/detail?id=81623#c20. Once you've
been MITM'd, anything that's cached is suspect. But what do you do at that
point? Taint track each resource in the cache? Keep separate browser
caches? What about localStorage? If JS is no longer trusted, it could have
touched anything, hence it's viral and spread to all web storage. Once
you're 0wn3d once, then even if you move to a "safe" network without the
proxy in the way that can examine your HTTPS, you can still be 0wn3d. So
what UI indicator should be shown to the user?

Of course I would prefer also to be offered a mechanism to opt in (the
> proxy) or to opt out … (if I am in by default)
> in this way we let the people to choose or if you prefer the market to
> decide
> if the explicit proxys really offer extra services/advantages then maybe
> people will start to use it more and more, if not…
> I would disagree with you, that would not be unsatisfactory, but that is
> my personal view as individual :-)
>

This discussion is hard to have because you're not providing much context.
I'm going to pigeonhole you into one of my previous use cases and you can
tell me if that's incorrect and why. I'm going to claim you fit (1) - the
existing interception proxy use case that worked fine for HTTP URIs but not
for HTTPS URIs. And this interception proxy was already operating without
any permission or knowledge from the end user. This might be an ISP proxy
for example. Now, in this case, even if an explicit proxy were provided
with a configuration to opt into the proxy being allowed to MITM the user,
I'm not seeing what incentive any user has to opt into letting themselves
get MITM'd. And I don't see why a UA would default to letting their users
get MITM'd. Can you explain how this would work?


>
> Moreover at the same time, in a perfect world, it would be really nice
> also to become aware of the existence of an SSL MITM
> especially in the case the user has decided to opt out from the usage of
> explicit proxy, but also in the case the have opt in.
>
> Both the user or the content provider may decide to act in a different way
> when they become aware that there is something in between
>
> Coming to the use cases there are severals and of course they are
> different for different providers.
>
> for mobile network operators the main high level use case is to operate
> the network so to offer a great user experience to
> their customers (btw this is something that is also considered acceptable
> by draft-farrell-perpass-attack-00),
> then there is the one Willy is describing in its mail…
>
> caching is another one,
> and I am not talking of caching in CDN based on reverse proxy, I am
> talking about caching in forward proxy:
> caching content as closer as possible to the user… (i.e. as closest as
> possible to an antenna in the case of mobile network for example)
>

Can you explain why, for these cases you describe here, an end user how
administers his/her own machine would opt into using an explicit proxy that
is allowed to MITM the SSL traffic? I'm trying to understand the incentives
here for all parties. You've described the incentives for the mobile
network operators here. But all parties need to have incentives for this to
happen, right? Unless mobile network operators have all the power (i.e.
they administer the end user devices).


>
> filtering/anti malware (as Willy is also describing) is also an important
> use case that is becoming more and more important also in the mobile world.
>
> about the enterprise use case you have already received comments...
>
> br
> Salvatore
>
> > Who is going to deploy them? The 2 cases I can think of are:
> >
> > (1) People who are using HTTP interception ("transparent") proxies
> > (2) People who are already using SSL MITM proxies
> >
> > In case (1), it appears to me that proxy operators may want explicit
> proxies, because theoretically those interception proxies provide vital
> functionality that they don't want to lose if more things go over HTTPS.
> Because if not, their alternative is to use a SSL MITM proxy, which
> requires them to own the client devices so they can administratively
> install additional root certificates. This bears a high cost, both in
> perceived privacy impact and in requiring administrative maintenance. By
> this description, I suspect this group probably consists of network
> operators, like mobile network operators or ISPs or what not. I suspect
> it's very costly for them to have to administrate customer devices.
> >
> > But I don't see what an explicit proxy will help with here. Is the
> requirement that there be a way to automagically configure the explicit
> proxy *and* default to giving up one or more of the confidentiality,
> integrity, and authentication guarantees normally provided by TLS? I can't
> see a browser defaulting into letting automatically letting an explicit
> proxy MITM them. Will it just be opt-in (which, given how much browser
> vendors "love" presenting UI to end users, is also controversial...)? If
> so, is that good enough for whoever is deploying these proxies? I have to
> imagine that's very unsatisfactory for them. What's the vision here?
> >
> > Now, as far case (2), if the proxy operators can already deploy their
> MITM certs on client devices, then they already own those devices. This
> sounds like enterprise computing devices or schools or prisons or what not.
> Now, if they already own the devices on this network, what incentive do
> they have to adopt explicit proxies? It sounds like they would just lose
> power. Is there a carrot here? SSL MITM proxies are already transparent to
> the client and origin server, so I don't see what leverage either entity
> has here.
> >
> > Would love to hear peoples' thoughts here.
>
>