W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: What will incentivize deployment of explicit proxies?

From: (wrong string) 陈智昌 <willchan@chromium.org>
Date: Tue, 3 Dec 2013 16:22:46 -0800
Message-ID: <CAA4WUYjDBp94v9t7x71gOR48-622LPXeQC3mLrAjLUU5nF1F_g@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
Cc: Yoav Nir <synp71@live.com>, James M Snell <jasnell@gmail.com>, Tim Bray <tbray@textuality.com>, Roberto Peon <grmocg@gmail.com>, Nicolas Mailhot <nicolas.mailhot@laposte.net>, HTTP Working Group <ietf-http-wg@w3.org>
OK, it sounds like people are retreating back from the
autoconfiguration+interstitial part of an explicit proxy proposal...except
maybe Nicholas? I'd love to hear more thoughts on
autoconfiguration+interstitial. It sounds like the prevailing sentiment is
it's unacceptable from a security UX perspective.

And now we're back to one-time setup operations. And in contrast to MITM
proxies, we see an opportunity to improve on the UX here, since installing
a root cert sucks. It seems like all browsers here rely on the system for
proxy configuration (Pat corrected me earlier on that), so this will tie us
to OS versions if we pursue this path. So if the OS vendors do not improve
the UX for installing MITM proxies, and instead focus energies on creating
a better explicit proxy configuration UX, then maybe that'll encourage
proxy operators to deploy more explicit proxies.

That's probably most of the proxy incentives there. Now it's interesting to
analyze the site operator incentives and the browser incentives. Site
operators will like explicit proxies, since they probably like having more
knowledge/power. Although there's the concern Stephen raised earlier about
banking site operators blocking access if an explicit "trusted" proxy is
present. This may impact the incentives of proxy operators to deploy
explicit proxies since they may not want site operators to be able to do
this. Thoughts on that?

And now there are the UAs, of which browsers are the most prominent. For
tools like curl, I don't think they'd have a problem with "trusted"
proxies, since the user presumably knows what he's doing? Maybe? For
browsers though, I expect there will be some hesitance to sacrifice e2e
security guarantees. Pat already mentioned this earlier about his dislike
of proxy termination of https:// requests. My teammates have similarly
voiced concerns here. Would we be willing to move forward with explicit
HTTPS proxies (UA<=>proxy TLS connection) without any "trusted" modes? Or
is that a key part of the proposals?

Cheers.


On Tue, Dec 3, 2013 at 3:07 PM, Martin Thomson <martin.thomson@gmail.com>wrote:

> On 3 December 2013 14:37, Yoav Nir <synp71@live.com> wrote:
> > It might be prudent to sacrifice expediency and block all access through
> > unrecognized proxies. Adding an explicit proxy would then have to be done
> > through a different UI, not a prompt that surprises a user who is trying
> to
> > do something.
>
> That's exactly what we've decided to do for screen sharing in WebRTC.
> It's got a similar sort of security profile: deceptively simple, but
> in practice there are subtleties users cannot be expected to evaluate.
>  In that context, Chrome - the only browser thus far to even have
> screen sharing support - have decided to move access to this into
> their extension framework.
>
> In order to enable screen sharing in Chrome, sites will need to use an
> extension that enables screen sharing for their site.  That hasn't
> been a universally popular decision, but I believe it to be a
> reasonable one given the nature of the problem.  It takes the decision
> off the critical path; it allows for revocation of rights when there
> are bad actors; etc...
>
> I'm not suggesting that this is the right decision here, but some
> greater awareness of the sorts of things people are doing when
> presented with similarly tough decisions can't hurt.
>
Received on Wednesday, 4 December 2013 00:23:13 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:20 UTC