W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: What will incentivize deployment of explicit proxies?

From: Patrick McManus <pmcmanus@mozilla.com>
Date: Tue, 3 Dec 2013 09:49:46 -0500
Message-ID: <CAOdDvNoG=jz7Gk0VOqT6gzn2VgEsaL-NDgcR0J6UPmne2K=Q4A@mail.gmail.com>
To: William Chan (陈智昌) <willchan@chromium.org>
Cc: Yoav Nir <synp71@live.com>, Roberto Peon <grmocg@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>
firefox uses the OS proxy config by default with the exception that we
don't honor the OS WPAD setting, cause experience has shown that it is an
easy way to get owned when you're traveling. Like most everything, it is
configurable.

better proxy detection would be handy for better error reporting, better
auth handling, etc.. I agree. Doing this browser to proxy communication
over TLS would be good, I agree with that too. (This is what Will calls
https proxies.. I've got a patchset for firefox half written for it.)

The problem with these explicit MITM proposals is that they also propose to
terminate https:// at the proxy, and that shouldn't happen. Sure lots of
people are already MITM'd by root cert annotations today - but not
everybody. I don't want to spread that particular affliction.



On Tue, Dec 3, 2013 at 6:21 AM, William Chan (陈智昌) <willchan@chromium.org>wrote:

> On Tue, Dec 3, 2013 at 1:49 AM, Yoav Nir <synp71@live.com> wrote:
>
>> On 3/12/13 10:28 AM, Roberto Peon wrote:
>>
>>>
>>>         For enterprises, the new trend is apparently to allow users to
>>>         use their personal devices. These devices would be outside the
>>>         normal administrative chain and would likely cause headaches.
>>>
>>>
>>>     I agree using personal devices would likely cause headaches. But
>>>     you're not saying explicit proxies solves this somehow, do you? If
>>>     so, I missed it.
>>>
>>>
>>> Enterprises like these have three choices:
>>> 1) Disallow access to such devices
>>> 2) Force users to install root certs
>>> 3) Force users to configure a proxy explicitly.
>>> Arguably #3 is the best, from both the enterprise, site and user
>>> perspective as setting up an explicit proxy should be easier than
>>> installing a root cert for both enterprise and user, and the site now gets
>>> signaled about the presence of a proxy.
>>>
>>>  As you said, BYOD is the new trend (this email written on my Mac rather
>> than a company laptop), so #1 is out. #2 is what we have now, and this
>> applies not only to people who bring their own device, but also to people
>> who use Firefox (a non-negligible group). They handle it by either
>> searching for "install CA certificate on xxx" in a search engine and
>> pasting the result on an intranet page, or by sending the users to do the
>> search themselves.
>>
>> #3 is preferable for administrators, sites and users by making the UX for
>> it the browser vendor's problem. Because "get the CA certificate from this
>> wiki page, send it to an email account that you can access with your phone,
>> double-tap the attachment on the phone, etc." - all this is a form of user
>> experience, just not a good one.
>>
>> So if deploying an explicit proxy can get the BYOD people off of IT's
>> back, it's a win for them.
>
>
> OK, I think I see what you're saying. IIUC, you say that the setup UX
> sucks right now for MITM proxies, and browsers should make it better by
> providing an explicit configuration UI for this. I think that's an
> interesting point, that IT departments would prefer an explicit proxy if
> its setup were easier than the MITM proxy setup. I'm going to sleep on this
> one. The only thing that pops to mind for me is currently most browsers
> (mod Firefox only I think) generally delegate to the system preferences, so
> it'd be interesting to hear what an OS vendor (like Microsoft) has to say
> about this.
>
> Cheers.
>
>
>>
>>
>> Yoav
>>
>>
>
Received on Tuesday, 3 December 2013 14:50:13 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:20 UTC