Re: The future of forward proxy servers in an http/2 over TLS world from Ryan Hamilton on 2017-02-15 (ietf-http-wg@w3.org from January to March 2017)

From: Ryan Hamilton <rch@google.com>
Date: Wed, 15 Feb 2017 12:24:52 -0800
To: Adrien de Croy <adrien@qbik.com>
Cc: Patrick McManus <mcmanus@ducksong.com>, Kari Hurtta <hurtta-ietf@elmme-mailer.org>, HTTP working group mailing list <ietf-http-wg@w3.org>
Message-ID: <CAJ_4DfTxr8mcf7a_p-fxMxKvz0x0zsdO9C3rg7u=1C5E=4KVFg@mail.gmail.com>

On Wed, Feb 15, 2017 at 12:17 PM, Adrien de Croy <adrien@qbik.com> wrote:

> or at the very least the response message from the proxy needs to be
> digitally signed.  I could understand why a browser may not wish to have 2
> TLS layers going on at the same time.
>

Chrome supports speaking to an HTTP proxy via TLS. However, that's not
sufficient to display error pages in response to connect requests. If the
user attempts to navigate to an https:// URL, the UI presented should
either be:

* Actual content from the server which has been end-to-end authenticated
via a TLS connection to the origin.
* Browser UI

In the general case, the proxy is not in a position to be trusted by the
browser, alas.

Cheers,

Ryan

Received on Wednesday, 15 February 2017 20:25:28 UTC