- From: Nicolas Mailhot <nicolas.mailhot@laposte.net>
- Date: Tue, 16 Jul 2013 10:35:11 +0200
- To: "Robert Collins" <robertc@squid-cache.org>
- Cc: "HTTP Working Group" <ietf-http-wg@w3.org>
Le Mar 16 juillet 2013 08:08, Robert Collins a écrit : > So [fairly recently] squid and other proxies can retrieve resources > over HTTPS. However user agents generally don't take advantage of > this, instead using CONNECT, to do end to end encryption. Is there a spec somewhere on how it's supposed to work ? > I'm sure that implementing this will start to raise issues like 'how > do we signal client certificates indirectly' and so on, which *will* > be HTTP protocol issues, but one step at a time. Some more questions: 1. How do you protect the client <-> proxy link? 2. how do you send auth from the client to the proxy in a secure way without it leaking them outside? (some http_proxy users just add proxy auth headers everywhere even when the proxy didn't ask for them, in basic auth, so they are leaking secrets to the outside like sieves) 3. more generally how are the client and proxy supposed to distinguish between client <-> proxy signaling and client <-> web site signaling ? 4. Is proxy chaining possible? (I've seen proxy used both to authorize connexions to the outside, and as gateway for connexions inside. So how can a poor user that needs access to a resource protected by and Internet-to-inside proxy traverse his own inside-to-Internet gateway to reach it?) Regards, -- Nicolas Mailhot
Received on Tuesday, 16 July 2013 08:35:42 UTC