Re: What will incentivize deployment of explicit proxies? from Adrien de Croy on 2013-12-03 (ietf-http-wg@w3.org from October to December 2013)

From: Adrien de Croy <adrien@qbik.com>
Date: Tue, 03 Dec 2013 22:33:16 +0000
To: "Patrick McManus" <mcmanus@ducksong.com>, William Chan (陈智昌) <willchan@chromium.org>
Cc: "Yoav Nir" <synp71@live.com>, "Nicolas Mailhot" <nicolas.mailhot@laposte.net>, "Roberto Peon" <grmocg@gmail.com>, "HTTP Working Group" <ietf-http-wg@w3.org>
Message-Id: <em867f5c03-eb5b-46b8-8d38-85741c4476d7@bodybag>

in the case of the corporate proxy, you delegate trust for the duration 
of your use of the browser at that location.

So I would expect some UI indication that is basically permanently 
indicating this is happening, which is why I previously suggested the 
frame could be a way to do it.

There's also a class of proxy that we haven't been considering much 
here, that is possibly the most wide-spread:

Localhost proxies for products like endpoint AV.

Adrien


------ Original Message ------
From: "Patrick McManus" <mcmanus@ducksong.com>
To: "William Chan (陈智昌)" <willchan@chromium.org>
Cc: "Yoav Nir" <synp71@live.com>; "Nicolas Mailhot" 
<nicolas.mailhot@laposte.net>; "Roberto Peon" <grmocg@gmail.com>; "HTTP 
Working Group" <ietf-http-wg@w3.org>
Sent: 4/12/2013 11:25:20 a.m.
Subject: Re: What will incentivize deployment of explicit proxies?
>
>
>
>On Tue, Dec 3, 2013 at 1:53 PM, William Chan (陈智昌) 
><willchan@chromium.org> wrote:
>>
>><pushback>
>>I can probably expect to be tarred and feathered by my security team 
>>if I tell them we need to put up a UI asking the end user to make a 
>>decision about security :)
>></pushback>
>>
>>
>
>Right. There is probably no way the user can make a meaningful decision 
>here. Heck - I'm not sure I can make a meaningful decision and I'm 
>certainly more familiar with the issues than most users. We've just 
>begun to uncover some of the reasons why.
>
>you make a "trust" delegation to your proxy to do exactly what.. load a 
>single URL? load just a particular origin? load a page.. (for how long 
>(scripts!)?).. can different pages use scripts cached with that trust? 
>Can they use my pre established cookies? What about mixed content 
>rules? What about a safe browsing database or a CRL list - Are those 
>still trusted? How about browser updates or new addons? Should you be 
>prompted separately to search google.com and login to chase.com? is 
>every page a new dialog? Are we going to categories where you opt-in a 
>category (e.g. search, but not finance) and then the server gets to 
>decide what kind of data it is instead of the user? Why is my EV 
>indicator now gone and does that deter server side folks who want a 
>stable UI to not adopt EV?
>
>And that's all rather beside the point. The information belongs to the 
>user not to the network even if the network is not obliged to carry it. 
>If the network would like to be able to more expressively define 
>mechanisms saying it refuses to carry e2e secured data I would be happy 
>to make use of that..
>
>-P
>

Received on Tuesday, 3 December 2013 22:33:38 UTC