- From: Henrik Nordstrom <henrik@henriknordstrom.net>
- Date: Mon, 18 Jun 2007 01:21:16 +0200
- To: Adrien de Croy <adrien@qbik.com>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
- Message-Id: <1182122476.20393.18.camel@henriknordstrom.net>
mån 2007-06-18 klockan 10:23 +1200 skrev Adrien de Croy: > Given that the problem is not going to go away because people are not > going to want to stop using intercepting proxies, wouldn't it be better > if there was some proper protocol support for the concept? Big fat no from this proxy vendor (Squid). Interception and Authentication does not mix, and should not mix. What would be better is a standardized proxy discovery mechanism. WPAD isn't far from that today, and complemented with a DNS SRV profile it's fairly complete for all uses.. And perhaps some way for local networks to tell clients that proxies MUST be used. Doing this in HTTP is just dangerous. Switching to using proxies should not be taken lightly as there is security and privacy concerns. Doing so in response to messages from random servers without any chain of trust to the client is just plain wrong. What could reasonably be done in this area using HTTP interception is an error indication which hints the client that it should go and look for a proxy if it want's to gain Internet access. But not which proxy. That needs to be discovered with some mechanism where there is a reasonable chain of trust already established. > UAs at the moment don't generally know if their connections are being > intercepted. If they knew, then they could; > > * let the user know connections were being intercepted > - ameliorates issues relating to privacy > - helps users decipher errors better (i.e. upstream connection failure) > - leads towards possible user-control over whether their traffic may > be intercepted or not This is already in the specs thanks to the Via header. > * cooperate better with the proxy. > - move to a proxy-oriented protocol operation (can fix many issues, > such as auth) > - deal with errors differently And this is covered by WPAD (even if just Informal today..). And without WPAD the UA could in theory extract what it needs from Via to switch to proxy operation if desired, provided the proxy actually adds what it is required to add to the Via, but doing so would be a security nightmare due to the completely missing chain of trust. Also many doing interception don't want their proxy to send Via because they don't want to tell the user which proxy intercepted the request. Quite many admins doing the interception dance even asks if it's possible to completely hide any proxy generated error messages etc, making things always behave as if the proxy wasn't there.. Regards Henrik
Received on Sunday, 17 June 2007 23:21:36 UTC