Re: The future of forward proxy servers in an http/2 over TLS world from Adrien de Croy on 2017-02-15 (ietf-http-wg@w3.org from January to March 2017)

From: Adrien de Croy <adrien@qbik.com>
Date: Wed, 15 Feb 2017 20:11:52 +0000
To: "Patrick McManus" <mcmanus@ducksong.com>
Cc: "Kari Hurtta" <hurtta-ietf@elmme-mailer.org>, "HTTP working group mailing list" <ietf-http-wg@w3.org>
Message-Id: <emcb751fb1-f781-46c5-b888-0af8b1c2af7f@bodybag>

yes, that's what caused the problem in the first place, and until we 
trust the proxy I don't think we'll move on from there.

Which means the connection to the proxy needs to be TLS.

We already support this with WinGate and I've verified it with Chrome 
and Firefox.  In that case couldn't the client trust an error response 
body from CONNECT?

Adrien


------ Original Message ------
From: "Patrick McManus" <mcmanus@ducksong.com>
To: "Adrien de Croy" <adrien@qbik.com>
Cc: "Kari Hurtta" <hurtta-ietf@elmme-mailer.org>; "HTTP working group 
mailing list" <ietf-http-wg@w3.org>
Sent: 16/02/2017 9:08:16 AM
Subject: Re: The future of forward proxy servers in an http/2 over TLS 
world

>there is no firefox support for that right now. It would require a 
>convincing UI and probably interest from another client to proceed 
>with. The concern is obviously some kind of phish mitm any time you are 
>asked to display https and you display anything not authenticated by 
>that origin.
>
>
>On Wed, Feb 15, 2017 at 3:02 PM, Adrien de Croy <adrien@qbik.com> 
>wrote:
>>
>>Thanks for that
>>
>>looks like I already knew about it lol.
>>
>>Do we have any idea about whether this has browser support, I assume 
>>FF so far only?
>>
>>Adrien
>>
>>
>>------ Original Message ------
>>From: "Kari Hurtta" <hurtta-ietf@elmme-mailer.org>
>>To: "Adrien de Croy" <adrien@qbik.com>
>>Cc: "HTTP working group mailing list" <ietf-http-wg@w3.org>; "Kari 
>>Hurtta" <hurtta-ietf@elmme-mailer.org>
>>Sent: 16/02/2017 8:31:25 AM
>>Subject: Re: The future of forward proxy servers in an http/2 over TLS 
>>world
>>
>>>>  This means we have a need to be able to respond to CONNECT with a
>>>>  denial, and some kind of message that can be displayed to the user.
>>>
>>>Maybe
>>>
>>>https://tools.ietf.org/id/draft-nottingham-proxy-explanation-00.txt 
>>><https://tools.ietf.org/id/draft-nottingham-proxy-explanation-00.txt>
>>>
>>>
>>>https://lists.w3.org/Archives/Public/ietf-http-wg/2016JulSep/0390.html 
>>><https://lists.w3.org/Archives/Public/ietf-http-wg/2016JulSep/0390.html>
>>>
>>>https://bugzilla.mozilla.org/show_bug.cgi?id=637619#c31 
>>><https://bugzilla.mozilla.org/show_bug.cgi?id=637619#c31>
>>>
>>>https://lists.w3.org/Archives/Public/ietf-http-wg/2016JulSep/0419.html 
>>><https://lists.w3.org/Archives/Public/ietf-http-wg/2016JulSep/0419.html>
>>>
>>>/ Kari Hurtta
>>>
>>
>>
>

Received on Wednesday, 15 February 2017 20:12:32 UTC