W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: What will incentivize deployment of explicit proxies?

From: Nicolas Mailhot <nicolas.mailhot@laposte.net>
Date: Wed, 4 Dec 2013 09:55:25 +0100
Message-ID: <2026a3127f84d1b904506adb8a00cad6.squirrel@arekh.dyndns.org>
To: "Yoav Nir" <synp71@live.com>
Cc: "Nicolas Mailhot" <nicolas.mailhot@laposte.net>, "William Chan (陈智昌)" <willchan@chromium.org>, "Roberto Peon" <grmocg@gmail.com>, "HTTP Working Group" <ietf-http-wg@w3.org>

Le Mar 3 décembre 2013 22:28, Yoav Nir a écrit :
> On 3/12/13 10:00 PM, Nicolas Mailhot wrote:
>> Le Mar 3 décembre 2013 19:53, William Chan (陈智昌) a écrit :
>>
>>>> On 3/12/13 3:16 PM, Nicolas Mailhot wrote:
>>>>
>>>>> Le Mar 3 décembre 2013 12:24, Yoav Nir a écrit :
>>>>>
>>>>>
>>>>> 5. Prompt the user:
>>>>>
>>>>> Accept using gateway-name to access http://awebsite.com/ and other
>>>>> web
>>>>> sites in ingoing-http2-mode ?
>>>>>
>>>>> [check reformatted access rules] [see help page] [see certificate]
>>>>>
>>>>>     [ ] Prompt for other web sites and security modes
>>>>>     ( ) only for this session ( ) all the time
>>>>>     (*) only from here        ( ) everywhere
>>>>>                                            [Yes] [No]
>>> <pushback>
>>> I can probably expect to be tarred and feathered by my security team if
>>> I
>>> tell them we need to put up a UI asking the end user to make a decision
>>> about security :)
>>> </pushback>
>> Then simplify the prompt to
>>
>> Access to http://awebsite.com/ requires using gateway-name on this
>> network.
>> gateway-name may read some of your traffic. Do you want to proceed ?
>>    <link to advanced info>
>>    <yes> <no>
>
> Simplification doesn't help. The user is in the middle of doing
> something, and they're not going to take their mind off the task at hand
> to answer your questions.

I can tell you they will and already do it (here for 150k+ people)

>> The only decision the user needs to make is if he's in a location where
>> gateway-name is expecter and if he accepts exposing his traffic.
>
> Not everyone has expectations regarding the presence or absence of
> proxies. Only a few would be able to make a good guess as to why the
> proxy is even there (scan for malware? Cache? scan for subversives?)

They're not required to guess anything that's why I want the browser to
display the whole access list if the user want to consult it.

For the rest it's not better or worse than the miriad small print
interactions users perform every day (including small print on video games
for kids, including web site term of uses, etc). You can wish for a world
without small print or lawsuits but this world won't happen so let's make
the existing one as convenient as possible for existing users.

>> That will
>> usually be a no-brainer (ok if at hotel, corp, school, nok at home
>> unless
>> the proxy is user-deployed).
>
> Guess it's not a no-brainer, because I would not be OK with a decrypting
> proxy at a hotel, coffee shop, or airport.

It's a no brainer to choose yes or no. Your answer proves it's a no
brainer for you to choose no in some circumstances. I guess if you want to
access your airplane ticket to reschedule because you're late at the
airport it will be a no brainer to choose yes to the airport proxy instead
of spending hours in a physical queue (and I'm pretty sure than in the USA
any airport gateway would be monitored in depth by all kinds of black
agencies).

>> And you only need to remind him the gateway
>> is in use next time it's encountered via a transient message, in case it
>> occurs in an unexpected place, the user wants to rescind the permission
>> or
>> he's in private browsing mode. (display gateway name and encryption
>> status)
>
> "Your traffic to mail.google.com is being decrypted by
> sslproxy.example.com". Good, bad, or indifferent?

Indifferent is not a choice. The choice is to proceed or not.

Regards,

-- 
Nicolas Mailhot
Received on Wednesday, 4 December 2013 08:55:54 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:20 UTC