Re: Explicit Proxy [was: A proposal]

On Wed, Nov 20, 2013 at 01:07:46PM +1100, Mark Nottingham wrote:
> Hi Willy,
> 
> On 20/11/2013, at 12:41 PM, Willy Tarreau <w@1wt.eu> wrote:
> > 
> > So let's loop back to one of the very old points about tls+auth for
> > proxies. This will significantly improve the ability to use anonymisers
> > and to use them safely. Without even the SNI or destination address
> > being useful (right now the SNI is carried over clear text even
> > through proxies).
> > 
> > That way we can have end users safely connect to well known anonymisers
> > without anyone being able to get anything from that conversation, to
> > the same extents as what the pro-TLS guys expect from full TLS to
> > servers.
> > 
> > I know it has been discussed many times in the past, but let's bring
> > that again on the table so that "people don't die anymore". Secure,
> > trusted proxies are *the* solution to solve the privacy issues that
> > make some people insist so much on having TLS. Let's just have it
> > towards the right place.
> 
> 
> Explicit proxy is tracked here: <https://github.com/http2/http2-spec/issues/316>. 

Ah yes thanks for the link.

> I've heard a significant amount of interest in this, especially at and after
> Vancouver, and think we'll see more proposals soon.

>From my understanding (I was one of those who insisted on having this),
till now it was mainly to make it easier to transport proxy auth without
revealing credentials and without doing the ugly redirect<->https dance
for the auth. Now I can see this as a solution to solve *the* problem we
identify for users browsing in cleartext, so I think anonymizers is a
new useful feature that should be mentionned there as a way to improve
overall privacy.

Thanks,
Willy

Received on Wednesday, 20 November 2013 07:12:20 UTC