Re: why not WPAD? from Peter Lepeska on 2014-01-15 (ietf-http-wg@w3.org from January to March 2014)

From: Peter Lepeska <bizzbyster@gmail.com>
Date: Wed, 15 Jan 2014 17:38:18 -0500
To: Eliot Lear <lear@cisco.com>
Cc: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-ID: <CANmPAYGPv--MdRgiT1o36oTK45pN4EELoL2d-pvB3tMM40EvAw@mail.gmail.com>

Eliot,

Maybe the problem is that today we not only use WPAD to detect a
proxy, but we also use it to determine whether or not to use the
proxy. Or, as you say, to trust it to look at our traffic. Maybe those
two actions -- discovery and decision to trust -- should be separate.
In the context of the trusted eproxy discussion, I think we're all
assuming that there will be an additional trust decision made by the
user, or by an administrator in the enterprise case. So I'm asking the
question of whether WPAD is an okay mechanism, perhaps with some
enhancements, to give us the proxy discovery piece.

In that case, do you still see a problem with WPAD if it is only
responsible for discovery?

Peter

On Wed, Jan 15, 2014 at 4:24 PM, Eliot Lear <lear@cisco.com> wrote:
> Peter,
>
> Without addressing your question specifically, who do you trust?  If the
> information comes off DHCP do you trust the local network
> administrator?  What if your device is mobile?  What if it's in
> Starbucks?  If we're talking about DNS-based WPAD, perhaps a configured
> domain that one trusts is more interesting, especially if you can play
> proximity games...
>
> Eliot
>
> On 1/15/14 8:09 PM, Peter Lepeska wrote:
>> Salvatore's recent draft on trusted proxies
>> (http://www.ietf.org/internet-drafts/draft-loreto-httpbis-trusted-proxy20-00.txt)
>> presents one approach for browsers to learn about the presence of
>> proxies, even when the browser is first using HTTPS to talk to the
>> Internet.
>>
>> But WPAD already exists for this purpose and all of the browsers
>> support it in one form or another -- chrome recently added support for
>> WPAD over DHCP as I understand it. I know there are implementation
>> problems with WPAD and proxy autoconfig but fundamentally what is
>> wrong with the approach of leveraging DHCP and DNS to discover proxies
>> and then relying on a simple javascript-based script to determine when
>> the proxy should be used?
>>
>> Is there something fatally flawed about the WPAD/PAC model for dynamic
>> proxy detection? If this topic is covered in another thread, please
>> send me a link to it.
>>
>> Thanks,
>>
>> Peter
>>
>>
>>
>

Received on Wednesday, 15 January 2014 22:38:45 UTC