Re: Three More Proxy User Stories from Yoav Nir on 2013-12-09 (ietf-http-wg@w3.org from October to December 2013)

From: Yoav Nir <synp71@live.com>
Date: Mon, 9 Dec 2013 08:30:21 +0200
To: Peter Lepeska <bizzbyster@gmail.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-ID: <BLU0-SMTP19187D163EC7680663C11F1B1D30@phx.gbl>

On 9/12/13 1:06 AM, Peter Lepeska wrote:
> Interested in feedback on the following proxy user stories to be added 
> to the current list here: 
> https://github.com/http2/http2-spec/wiki/Proxy-User-Stories.
>
> Adam's Strictly Confidential Traffic
> Adam is the enterprise webmail administrator for company A, which 
> prioritizes corporate confidentiality and information assurance above 
> all else. Adam therefore would like to prevent all proxies from 
> decrypting corporate webmail traffic regardless of any side effects 
> this might cause.

With today's MitM proxies, the server side cannot opt out. We can design 
a protocol that allows the server to opt out, but to get a guarantee of 
the lack of proxies, we'd need to detect and block MitM proxies. There 
are ways of doing this, but as long as you can get people to install CA 
certificates and as long as browsers disable key pinning when faced with 
a locally-signed certificates, MitM will continue to work.
>
> Eve's Access Blocking Enterprise Proxy
> Eve, the administrator of a proxy deployed at the edge of company B's 
> network, refuses to allow any traffic in or out of the network that 
> cannot be inspected. At the same time, Eve would like to avoid the 
> potential liability involved in viewing another firm's confidential 
> traffic. If a user on company B's network also has a webmail account 
> from a company that has a strict confidentiality policy similar to 
> company A's, Eve would prefer to prevent access to that webmail server 
> from within company B than to decrypt that traffic.

Wouldn't liability be addressed by installing a product that doesn't 
show the cleartext to humans or store plaintext? or by having in place 
procedures to avoid humans seeing stuff they don't need?

The way you phrase the last sentence implies that company A just emits a 
policy, and company B enforces it. I would rather make it possible for 
company A to enforce this. Ethical proxies might honor such a request , 
but rogue ones would not. OTOH, ethical proxies would also implement the 
new protocol that allows company A to really opt out.
>
> Darlene's Content Server Respecting Proxy
> Darlene, the executive at the mobile provider mentioned in the above 
> link, would like to optimize mobile user traffic which requires 
> decryption but would also like to avoid the potential liability of 
> decrypting traffic to/from content owners with strict confidentiality 
> policy similar to company A's. Darlene would like to decrypt only that 
> traffic for which the content owners have not explicitly denied 
> consent to decrypt.
>
Ah, so we need a way for the server to signal the client to refuse to 
cooperate with proxies, and proxies that only do caching can allow both 
CONNECT and GET.

Thanks

Yoav

Attachments

application/pkcs7-signature attachment: S/MIME Cryptographic Signature

Received on Monday, 9 December 2013 06:31:04 UTC