W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2014

RE: Pseudo end-to-end connections considered harmful

From: Richard Wheeldon (rwheeldo) <rwheeldo@cisco.com>
Date: Mon, 28 Jul 2014 08:41:34 +0000
To: Amos Jeffries <squid3@treenet.co.nz>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-ID: <0566CA5E9B906D40B6737DD47DA9FB8F1B54F924@xmb-rcd-x04.cisco.com>
From: Amos Jeffries [mailto:squid3@treenet.co.nz] 
 > Which requirement to add Via exists in RFC2616 and is already soundly ignored by the intelligence community middelware causing risk.

We do add Via and XFF on the requests of an inspected / MITM HTTPS transaction. They tend to get largely ignored - the most irritating being when that IP is used for:
- Authentication
- Country / location lookup
- Checking consistency between HTTP and HTTPS transaction sources.

I won't argue that any of these are good uses for an IP address - but they are all examples where I've seen XFF working on HTTP but being ignored when on HTTPS. I can't comment about Via since the browser's treatment of it rarely makes any difference to us as a proxy. The fact that we can't put this information on an HTTPS request at all without doing MITM is a source of even greater frustration.

 > The only thing this advice will do is break end-user middleware providing useful and non-harmful protection.
 > Users AV or adware protection, corporate TLS tunnel proxies, ISP based AV proxy, content provider CDN TLS gateway, and such like.

Yup. +1 to this.

Received on Monday, 28 July 2014 08:42:03 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 30 March 2016 09:57:09 UTC