Re: What will incentivize deployment of explicit proxies?

On Tue, Dec 3, 2013 at 1:02 AM, Willy Tarreau <> wrote:

> Hi William,
> On Mon, Dec 02, 2013 at 11:37:33PM -0800, William Chan (?????????) wrote:
> > Pardon me if this is obvious, but it's not immediately obvious to me what
> > will cause people to use explicit proxies instead of MITM proxies? Who is
> > going to deploy them? The 2 cases I can think of are:
> >
> > (1) People who are using HTTP interception ("transparent") proxies
> > (2) People who are already using SSL MITM proxies
> (...)
> There are several use cases. First, explicit proxies commonly require
> authentication. This cannot be *cleanly* done using MITM, you generally
> have to hack with cookies and redirects, and it's often not compatible
> with a number of browser plug-ins or even software updates.

Sorry, I'm having difficulty understanding this case. Can you explain
further? Just to be clear, what I was describing above was a transition
process. I tried to highlight known existing proxy deployments and tried to
see how the new proposals would fit in. Can you explain what this use case
you're describing is more precisely, how it's solved (perhaps poorly!)
today, and how one of the new proposals have the appropriate incentives
from the various players to adopt it? When you say requires authentication,
to me that is a configured proxy that a browser is already aware of. If
it's already configured, then the browser already has the functionality to
talk to it, and the client administrator already has the power to configure
the client browser to speak to the proxy, and could already install MITM
certs (which I assume is what happens today). I suspect I got something
wrong in that understanding, so please correct me. I'm trying to understand
what would motivate an administrator who already has control over the
client devices and the proxy deployment to want to switch to an explicit
proxy instead.

> Second, you forget one growing deployment case which is the external
> filtering proxy. Many companies provide this nowadays. Zscaler is one
> of them, but I'm also seeing small companies order such services for
> internal use and propose them to their employees for free to use from
> home, simply because that helps them protect their PC against malware.
> Again here we're talking only about explicit proxies, since there's
> nothing on the network between the browser and the origin server.

I feel like "explicit" has been overloaded here. Looking at the issue for
explicit proxies, the first sentence of says: "In some use cases,
the network requires that traffic between a user agent and servers be
visible to it (e.g., for application of policy, filtering, compliance
requirements)." This seems to be referring to entities in the network
between the browser and the origin server.

In any case, how does Zscaler work today? It appears to already install
MITM certs. If that works great for them already, what's contained in the
new proposals that they need and would see better adoption?

> Third, a long time ago when the internet started to reach joe user,
> all ISPs provided some connection kits which pre-configured their
> local proxies in the browser. The goal was to save on bandwidth costs.
> This disappeared when ISP's bandwidth became much larger than what they
> offer to their customers. But in mobile environments there's still a
> benefit for this : you save the DNS round trip, and I'm quite sure
> that if explicit proxies could be used safely, they would be more
> commonly used in mobile environments because you can typically save
> about 1 second in an average page load time due to the many hosts on
> a page (interestingly, domain sharding has hurt page load time there).

I agree that proxies can improve on these situations. And historically,
interception proxies do a lot of this.

> Then you have anonymizers that some people use for whatever reason
> (paranoia, illegal activities, political reasons, etc...).
> I expect that use of explicit proxies will significantly raise after
> adoption of proxies over TLS because one of the problem explicit
> proxies are currently facing is the lack of confidentiality when used
> in clear (eg: CONNECT host:port, SNI in clear text, credentials in
> clear text).

Just to be clear, if all we're talking about is a configured HTTPS proxy,
as opposed to existing configured HTTP/SOCKS proxies, then I totally see
the incentive for it. The browser<=>proxy connection is not secured and
it'd be nice to secure it. I guess I was lumping in the "trusted" bit too
that I see in lots of proposals.

> Hoping this helps,
> Willy
> I'm finding this helpful, thanks.

Received on Tuesday, 3 December 2013 11:03:30 UTC