W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2013

Re: HTTPS, proxy environment variables and non-CONNECT access

From: Nicolas Mailhot <nicolas.mailhot@laposte.net>
Date: Tue, 16 Jul 2013 12:07:44 +0200
Message-ID: <869fb0e8ac47fdd512a264dea91bb436.squirrel@arekh.dyndns.org>
To: "Robert Collins" <robertc@robertcollins.net>
Cc: "Nicolas Mailhot" <nicolas.mailhot@laposte.net>, "HTTP Working Group" <ietf-http-wg@w3.org>

Le Mar 16 juillet 2013 11:52, Robert Collins a écrit :

>> 2. how do you send auth from the client to the proxy in a secure way
>> without it leaking them outside?
> I think you mean 'If the origin is an HTTPS origin which uses
> replayable (e.g. basic) auth, how do you prevent that leaking [vs e.g.
> how do you authenticate to the proxy itself].

No, I really meant "how do you prevent web site auth leaking proxy-side,
and proxy auth leaking web site-side, without assuming one of those auths
is worthless and can be shared or exposed non-encrypted in the name of
cutting corners". And that in a world where the only auth most web clients
will use reliably is basic auth.

Nicolas Mailhot
Received on Tuesday, 16 July 2013 10:08:14 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:14 UTC