W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2013

Re: HTTPS, proxy environment variables and non-CONNECT access

From: Nicolas Mailhot <nicolas.mailhot@laposte.net>
Date: Tue, 16 Jul 2013 10:35:11 +0200
Message-ID: <d7ed4bf5bf3c9aa0cad0f9bb2296dc53.squirrel@arekh.dyndns.org>
To: "Robert Collins" <robertc@squid-cache.org>
Cc: "HTTP Working Group" <ietf-http-wg@w3.org>

Le Mar 16 juillet 2013 08:08, Robert Collins a écrit :
> So [fairly recently] squid and other proxies can retrieve resources
> over HTTPS. However user agents generally don't take advantage of
> this, instead using CONNECT, to do end to end encryption.

Is there a spec somewhere on how it's supposed to work ?

> I'm sure that implementing this will start to raise issues like 'how
> do we signal client certificates indirectly' and so on, which *will*
> be HTTP protocol issues, but one step at a time.

Some more questions:
1. How do you protect the client <-> proxy link?
2. how do you send auth from the client to the proxy in a secure way
without it leaking them outside? (some http_proxy users just add proxy
auth headers everywhere even when the proxy didn't ask for them, in basic
auth, so they are leaking secrets to the outside like sieves)
3. more generally how are the client and proxy supposed to distinguish
between client <-> proxy signaling and client <-> web site signaling ?
4. Is proxy chaining possible? (I've seen proxy used both to authorize
connexions to the outside, and as gateway for connexions inside. So how
can a poor user that needs access to a resource protected by and
Internet-to-inside proxy traverse his own inside-to-Internet gateway to
reach it?)

Regards,

-- 
Nicolas Mailhot
Received on Tuesday, 16 July 2013 08:35:42 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:14 UTC