- From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
- Date: Thu, 28 Nov 2013 11:46:08 +0000
- To: Yoav Nir <synp71@live.com>, HTTP Group <ietf-http-wg@w3.org>
Hiya, Cutting out lots of bits... On 11/28/2013 11:15 AM, Yoav Nir wrote: > On 28/11/13 11:37 AM, Stephen Farrell wrote: [...] > With this proposal they can enforce their policy, allowing users to > connect without a proxy, and not allowing them to connect with it. Seems > like a positive to me. You're saying that basically a bank with a policy of not agreeing to expose their customers' credentials to proxies (or with a regulator who imposes such a policy) would have to turn off Internet banking for any customer behind such a proxy who uses HTTP/2.0. I've no real clue, but I'd worry that'd be a major dis-incentive for deploying HTTP/2.0 for such a bank. (Is there even a good way to fall back to HTTP/1.1 in such a case?) Doesn't that mean that the wg need to know whether or not the above speculation is real or not before any particular proxy solution could be adopted? (Or before someone takes the risk of being burned as you put it:-) > Having this option on the table may allow (in the far future) browsers > to stop scaling back security in the presence of MitM proxies. Yes, current MITM attack boxes are worse. But doing the right thing of exposing the proxy to the web site might well mean giving some sites a choice that requires them to not use HTTP/2.0. There are real and hard conflicts here between the enterprise desire to scan stuff and the web site desire for e2e security and both need to be properly considered. S.
Received on Thursday, 28 November 2013 11:46:33 UTC