Re: What will incentivize deployment of explicit proxies?

On Wed, Dec 11, 2013 at 4:50 AM, Nicolas Mailhot <
nicolas.mailhot@laposte.net> wrote:

>
> Le Mar 10 décembre 2013 03:12, Mark Nottingham a écrit :
>
> > What I don't want to do is spend months-to-years developing a new kind of
> > explicit proxy in HTTP in the *hope* that it'll somehow magically
> supplant
> > these devices, without some sort of evidence that it has a chance of
> doing
> > so.
>
> The trust level of the endpoint site is not the same as the trust level of
> the gateway. It may surprise you but in some case the trust level of the
> gateway is way higher than a random web site on the other side of the
> world, so not being able to distinguish in the web client between the
> signals of the web site and of the gateway is a big security problem.
>
> --
>
So, I think this is the point at which someone traditionally says "the term
'trust' is overloaded here", and it seems to fall to me this time.  An end
user or IT staff member may have greater confidence that a specific type of
proxy is not delivering malware than it has in a random web site, since the
proxy may be developed to remove malware.  For that value of "trust", your
statement makes sense.

The end user/IT staff member cannot have great confidence that the proxy is
delivering the content intended by the random web site.  It can at most
match the same confidence.

So let's be a little careful with terms like "trust level", please.

thanks,

Ted




> Nicolas Mailhot
>
>
>

Received on Thursday, 12 December 2013 01:23:15 UTC