W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: What will incentivize deployment of explicit proxies?

From: Albert Lunde <atlunde@panix.com>
Date: Tue, 03 Dec 2013 19:18:15 -0600
Message-ID: <529E82D7.6030607@panix.com>
To: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
On 12/3/2013 6:22 PM, William Chan (ι™ˆζ™Ίζ˜Œ) wrote:
> OK, it sounds like people are retreating back from the
> autoconfiguration+interstitial part of an explicit proxy
> proposal...except maybe Nicholas? I'd love to hear more thoughts on
> autoconfiguration+interstitial. It sounds like the prevailing sentiment
> is it's unacceptable from a security UX perspective.
[...]
> And now there are the UAs, of which browsers are the most prominent. For
> tools like curl, I don't think they'd have a problem with "trusted"
> proxies, since the user presumably knows what he's doing? Maybe? For
> browsers though, I expect there will be some hesitance to sacrifice e2e
> security guarantees. Pat already mentioned this earlier about his
> dislike of proxy termination of https:// requests. My teammates have
> similarly voiced concerns here. Would we be willing to move forward with
> explicit HTTPS proxies (UA<=>proxy TLS connection) without any "trusted"
> modes? Or is that a key part of the proposals?

It seems like a HTTP client's local configuration of what proxies it 
trusts (or distrusts) is going to be a distinct problem from the wire 
protocol being talked to the proxy, and may be specific to the type of 
client or how it is being used.

What's a reasonable configuration format for a browser client may not 
make sense for an RSS aggregation, or a web service client, or wget.

A mobile client that defines "Locations" might want to associate local 
proxy trust policies with those locations.  But there still might be 
security risks with policy spoofing.

For example, my Android phone can recognize "Locations" based on WiFi 
network names. It might conclude I was at the office because of the 
existence of a network named "Northwestern" without looking at the details.

A Microsoft domain environment might want to seed trust preferences with 
Group Policy.

Having some kind of expectation of what a configuration might involve
could be helpful. A list of recognized proxies with associated actions 
(trust/distrust), and a default action, seems like the simplest case.

Saying, "I'll trust proxies with certificates signed by a list of CAs" 
"reduces" it to the certificate trust problem, which is nearly where we 
stated, though trusting proxies signed by a short list of CAs might be 
more manageable.

I can't think of a way to introduce new trusted proxies that can't be 
subverted, say, by a person wanting to get to a suspect web site.

-- 
     Albert Lunde  albert-lunde@northwestern.edu
                   atlunde@panix.com  (address for personal mail)
Received on Wednesday, 4 December 2013 01:18:38 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:20 UTC