W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2014

RE: ext#9: OppSec and Proxies

From: Richard Wheeldon (rwheeldo) <rwheeldo@cisco.com>
Date: Wed, 2 Jul 2014 09:39:47 +0000
To: Mark Nottingham <mnot@mnot.net>
CC: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <0566CA5E9B906D40B6737DD47DA9FB8F1B54310D@xmb-rcd-x04.cisco.com>
From: Mark Nottingham [mailto:mnot@mnot.net] 
 > Can the proxy advertise OppSec?

I'd really like the answer to this to be "yes". Consider a typical network layout for a guy in a coffee shop using his laptop:

	Client --- < Wifi > --- < ISPs > --- < Proxy > --- < ISPs > --- < Server >

The Wifi part of the picture is the dodgy part. That's the area of high latency, low bandwidth and high risk of direct attack (e.g. stolen credentials, malware, data loss and personal attacks as opposed to NSA style monitoring). Cisco have a product called AnyConnect which is a pretty popular VPN client. Less well known is that it also has a mode in which all Web traffic is sent to Cloud Web Security (the big proxy in the cloud). Since it's designed to be used on laptops in these sort of scenarios, it upgrades all connections to TLS for security. However, this requires custom software on the endpoint with a client that knows a lot less about page structure and user-activity than the browser does. It'd be much neater, faster and cleaner if we could just kick the browser into doing HTTP/2 over TLS and leave the client as a dumb bit-mover. Similar arguments can be made for other proxies,

Regards,

Richard
Received on Wednesday, 2 July 2014 09:40:19 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 30 March 2016 09:57:08 UTC