- From: Adrien de Croy <adrien@qbik.com>
- Date: Wed, 20 Nov 2013 02:26:56 +0000
- To: "Mark Nottingham" <mnot@mnot.net>
- Cc: "HTTP Working Group" <ietf-http-wg@w3.org>
proxy discovery could almost deserve its own issue. A long time ago 305 Use Proxy was deprecated (and apparently it wasn't implemented anyway by UA authors). Personally I think it (or something similar) could have been useful in a restricted (trusted) environment to force a browser to use a proxy that they weren't going to get anywhere without using. out of band approaches really are not reliable like a forced interception based approach could be. WPAD is a complete mess, and there are so many links in the chain that it's flaky. An administrator has to be coached to * configure DHCP option 252 * configure DNS * configure a script file to serve * configure clients to use auto proxy detection On the other hand, if a proxy could just intercept port 80, check if the request looked like a proxy one or not, if it didn't then bounce with a response that got the UA to present a dialog to the user saying something like "the proxy at x.x.x.x asserts that you must use it to access the internet, do you wish to proceed" Then that would be the end of it. Oviously this could be improved on, and maybe it would be a page. Methods to establish the true origin of that requirement could also be put in, to protect against using this upstream of the corporate gateway. Or alternatively this could just trigger the browser to start a proxy discovery process. This would resolve the problem with visiting devices as well. This issue has been discussed before, but are we the people to deal with it? If it is dealt with in the protocol, then we are. Adrien ------ Original Message ------ From: "Mark Nottingham" <mnot@mnot.net> To: "Willy Tarreau" <w@1wt.eu> Cc: "HTTP Working Group" <ietf-http-wg@w3.org>; "Roy Fielding" <fielding@gbiv.com>; "Stephen Farrell" <stephen.farrell@cs.tcd.ie>; "Poul-Henning Kamp" <phk@phk.freebsd.dk>; "Mike Belshe" <mike@belshe.com> Sent: 20/11/2013 3:07:46 p.m. Subject: Explicit Proxy [was: A proposal] >Hi Willy, > >On 20/11/2013, at 12:41 PM, Willy Tarreau <w@1wt.eu> wrote: >> >> So let's loop back to one of the very old points about tls+auth for >> proxies. This will significantly improve the ability to use >>anonymisers >> and to use them safely. Without even the SNI or destination address >> being useful (right now the SNI is carried over clear text even >> through proxies). >> >> That way we can have end users safely connect to well known >>anonymisers >> without anyone being able to get anything from that conversation, to >> the same extents as what the pro-TLS guys expect from full TLS to >> servers. >> >> I know it has been discussed many times in the past, but let's bring >> that again on the table so that "people don't die anymore". Secure, >> trusted proxies are *the* solution to solve the privacy issues that >> make some people insist so much on having TLS. Let's just have it >> towards the right place. > > >Explicit proxy is tracked here: ><https://github.com/http2/http2-spec/issues/316>. > >I've heard a significant amount of interest in this, especially at and >after Vancouver, and think we'll see more proposals soon. > >Cheers, > > >-- >Mark Nottingham http://www.mnot.net/ > > > >
Received on Wednesday, 20 November 2013 02:26:42 UTC