W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2015

Re: SSL/TLS everywhere fail

From: Patrick McManus <pmcmanus@mozilla.com>
Date: Sat, 5 Dec 2015 11:23:53 +0100
Message-ID: <CAOdDvNpTGv7XJVDP52PPmB09wAknuUE12p9oP+0qeGyV8VjpOg@mail.gmail.com>
To: Alex Rousskov <rousskov@measurement-factory.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>, Martin Thomson <martin.thomson@gmail.com>
On Sat, Dec 5, 2015 at 1:55 AM, Alex Rousskov <
rousskov@measurement-factory.com> wrote:

>
> Not in a technical sense. And we should not talk politics here.
>
>
The technical implications of policy (and vice versa) is certainly germane
to the making of standards. Things would be easier if that weren't true but
its not a good option to pretend otherwise. What we should avid here, imo,
is any talk not related to a standard we are working on even if it is of
general interest. This discussion seems in scope (if tedious :)).


> > Firefox definitely supports https proxies. I think that Chrome does too.
>
> For FireFox, this is a relatively recent and partial change, not yet
> available via regular configuration options AFAICT. I have not checked
> Chrome. It is nice that browsers are finally adding that support, of
> course!
>
>
Firefox "proxy over https" support was released in October 2014; Chrome
beat us to it. I've heard microsoft banter on the topic, but I'm not sure
if it is currently available. In both browsers you can do h1/h2/spdy over
that link - including mux'd connect tunnels within one h2/spdy session to
the proxy with proxies that support h2/spdy This has some really nice TCP
side-effects when done over poor links. Still waiting for several proxies
to pick up that feature. (that game works both ways :)..)

UI is done via PAC (which can be done without an external PAC file fwiw) in
both browsers. I think we will probably add a checkbox for it when we
update that configuration screen (For which I have a different reason to
schedule work anyhow, so this can piggyback).

But of course, this just authenticates the proxy and secures the transport
to it - it does not trust the proxy with https data split browser style. I
find it hard to imagine doing so would be in the best interest of our
users. Third parties that would like to be part of that conversation will
assert opportunity cost or just authority and disagree with my opinion.
cest la vie.

-P
Received on Saturday, 5 December 2015 10:24:17 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:40 UTC