Re: The future of forward proxy servers in an http/2 over TLS world from Amos Jeffries on 2017-02-17 (ietf-http-wg@w3.org from January to March 2017)

From: Amos Jeffries <squid3@treenet.co.nz>
Date: Fri, 17 Feb 2017 17:22:04 +1300
To: ietf-http-wg@w3.org
Message-ID: <e3fd2ede-9877-a4e5-bd7e-a0a165969ff6@treenet.co.nz>

On 17/02/2017 9:17 a.m., Tom Bergan wrote:
> Ok, I see that I unintentionally stepped on a landmine. Sorry.
> 
> On Thu, Feb 16, 2017 at 11:47 AM, Alex Rousskov wrote:
> 
>> On 02/16/2017 11:25 AM, Tom Bergan wrote:
>>
>>> You started by stating, without proof, that proxies are needed to block
>>> requests.
>>
>> Adrien did not state that at all! He actually stated that
>>
>>   * proxies are used to block requests;
>>   * blocking requests is a critical proxy purpose;
>>   * blocking by proxy becomes increasingly difficult or even impossible
>>     due to ongoing protocol changes
>>
>> All are well-known facts that do not require a proof, I hope.
>>
>> [ If you are implying that requests should never be blocked or should
>> only be blocked by user agents, then I hope that other folks on the
>> mailing list can prove you wrong without appearing to be as biased as a
>> proxy developer would. ]
> 
> 
> Yes, I'm asking why the blocking needs to happen in a proxy. For example,
> Chrome's SafeBrowsing feature doesn't use a proxy. Your client is a willing
> participant that will customize their software and configuration as you ask
> them. Why does the protocol for deciding what to block necessarily need to
> happen over a proxy, rather than a side-channel? Maybe I'm being naive and
> don't know all the obvious reasons why a proxy is needed and a side-channel
> won't work. Has someone written an RFC describing why?
> 

Here is one reason:
 https://tools.ietf.org/html/rfc7725

The Browser behaviour of censoring the intermediary generated error text
prevents ISP and all other non-CDN entities from using that status code
in protest or to inform the user base about network censorship and other
unjust restrictions.

The problem is not limited to proxies, we are just the WG members
speaking up about the problem.  A firewall could blindly respond with
the byte string of a HTTP 4xx/5xx response and it would be censored on
HTTPS traffic just as much as any proxy.

Basically the Browser behaviour is colluding to perform censorship.

Amos

Received on Friday, 17 February 2017 04:22:52 UTC