Re: What will incentivize deployment of explicit proxies?

+1 on playing nice with users and browsers, and add IT dept as well.

One of the biggest support queries we get relates to people who use our 
product to intercept connections, then wish the user to auth to the 

What we do in this case is pretend the proxy is the server asking for 
auth (so we send a 401 back with a WWW-authenticate header).  There's no 
other way I can think of that can allow a per-connection establishment 
of credentials within HTTP.

The problem is the browser doesn't know about the proxy, so presumes the 
auth challenge (401) is coming from the server.  It also presumes 
therefore that if it goes to another site, it can't re-use the creds.

If on the other hand the client could learn about the existence of the 
proxy, and learn that it is the proxy that is asking for the auth, then 
it could adopt a different behaviour.

PAC files are not a good deployment option.  WPAD is not either.

IMO the best way is to take the connection that you have (the only one 
you can reliably know you will get) and use it to signal the requirement 
for proxy use.  This means in clear http, having a signal for 
requirement to use a proxy, and in TLS, you'd need something in there as 
well.  I know people consider this as breaking TLS.  However inserting a 
mechanism to deny with information a TLS handshake... does that really 
break it?  Couldn't it be considered an extension of ALPN or NPN?


------ Original Message ------
From: "Nicolas Mailhot" <>
To: "William Chan (陈智昌)" <>
Cc: "Nicolas Mailhot" <>; "HTTP Working 
Group" <>
Sent: 4/12/2013 12:56:06 a.m.
Subject: Re: What will incentivize deployment of explicit proxies?
>Le Mar 3 décembre 2013 12:27, William Chan (陈智昌) a écrit :
>>  On Tue, Dec 3, 2013 at 1:53 AM, Nicolas Mailhot
>>  <
>>>  wrote:
>>>  Le Mar 3 décembre 2013 08:37, William Chan (陈智昌) a écrit :
>>>  > Pardon me if this is obvious, but it's not immediately obvious to 
>>>  what
>>>  > will cause people to use explicit proxies instead of MITM proxies? 
>>>  is
>>>  > going to deploy them? The 2 cases I can think of are:
>>>  I think browser and privacy people really need to remove their 'us 
>>>  them' blinders and the debate will be much more constructive.
>>  Wow, this is fairly aggressive. Did my email really prompt this?
>Sorry if it was aggressive, I was trying to kill this argument once and
>for all.
>The incentive to adopt http/2 instead of existing systems is to play 
>with browsers and users (assuming http/2 is well designed). Existing
>systems do not play nice with users and browsers. If you integrate the
>fact that operators do want to play nice with users and browsers, 
>realise your question answers itself.
>Nicolas Mailhot

Received on Tuesday, 3 December 2013 20:16:34 UTC