- From: Adrien de Croy <adrien@qbik.com>
- Date: Tue, 03 Dec 2013 20:16:10 +0000
- To: "Nicolas Mailhot" <nicolas.mailhot@laposte.net>, William Chan (陈智昌) <willchan@chromium.org>
- Cc: "HTTP Working Group" <ietf-http-wg@w3.org>
+1 on playing nice with users and browsers, and add IT dept as well. One of the biggest support queries we get relates to people who use our product to intercept connections, then wish the user to auth to the proxy. What we do in this case is pretend the proxy is the server asking for auth (so we send a 401 back with a WWW-authenticate header). There's no other way I can think of that can allow a per-connection establishment of credentials within HTTP. The problem is the browser doesn't know about the proxy, so presumes the auth challenge (401) is coming from the server. It also presumes therefore that if it goes to another site, it can't re-use the creds. If on the other hand the client could learn about the existence of the proxy, and learn that it is the proxy that is asking for the auth, then it could adopt a different behaviour. PAC files are not a good deployment option. WPAD is not either. IMO the best way is to take the connection that you have (the only one you can reliably know you will get) and use it to signal the requirement for proxy use. This means in clear http, having a signal for requirement to use a proxy, and in TLS, you'd need something in there as well. I know people consider this as breaking TLS. However inserting a mechanism to deny with information a TLS handshake... does that really break it? Couldn't it be considered an extension of ALPN or NPN? Adrien ------ Original Message ------ From: "Nicolas Mailhot" <nicolas.mailhot@laposte.net> To: "William Chan (陈智昌)" <willchan@chromium.org> Cc: "Nicolas Mailhot" <nicolas.mailhot@laposte.net>; "HTTP Working Group" <ietf-http-wg@w3.org> Sent: 4/12/2013 12:56:06 a.m. Subject: Re: What will incentivize deployment of explicit proxies? > >Le Mar 3 décembre 2013 12:27, William Chan (陈智昌) a écrit : >> On Tue, Dec 3, 2013 at 1:53 AM, Nicolas Mailhot >> <nicolas.mailhot@laposte.net >>> wrote: >> >>> >>> Le Mar 3 décembre 2013 08:37, William Chan (陈智昌) a écrit : >>> > Pardon me if this is obvious, but it's not immediately obvious to >>>me >>> what >>> > will cause people to use explicit proxies instead of MITM proxies? >>>Who >>> is >>> > going to deploy them? The 2 cases I can think of are: >>> >>> I think browser and privacy people really need to remove their 'us >>>vs >>> them' blinders and the debate will be much more constructive. >>> >> >> Wow, this is fairly aggressive. Did my email really prompt this? > >Sorry if it was aggressive, I was trying to kill this argument once and >for all. > >The incentive to adopt http/2 instead of existing systems is to play >nice >with browsers and users (assuming http/2 is well designed). Existing >systems do not play nice with users and browsers. If you integrate the >fact that operators do want to play nice with users and browsers, >you'll >realise your question answers itself. > >Cheers, > >-- >Nicolas Mailhot > >
Received on Tuesday, 3 December 2013 20:16:34 UTC