W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: What will incentivize deployment of explicit proxies?

From: Yoav Nir <synp71@live.com>
Date: Wed, 4 Dec 2013 09:28:50 +0200
Message-ID: <BLU0-SMTP399AE881413C209C9EF421CB1D40@phx.gbl>
To: Peter Lepeska <bizzbyster@gmail.com>, "William Chan (ι™ˆζ™Ίζ˜Œ)" <willchan@chromium.org>
CC: HTTP Working Group <ietf-http-wg@w3.org>
On 4/12/13 3:57 AM, Peter Lepeska wrote:
> I wonder if MITM proxy operators have any legal concerns about viewing 
> content owners' traffic without their consent or even an indication 
> that the MITM is active. The proxy operators "own" their users' 
> devices presumably but not content owners' data. I think an ideal 
> explicit proxy would allow proxies to make their presence known to 
> content owners.
Hi, Peter

Proxy vendor here. We can't make sweeping statements about legal 
concerns of proxy operators, because they vary from country to country 
and from state to state in federated countries.

There are also many variables that may or may not be relevant legally or 
ethically. One is the question of visibility to humans. A next 
generation firewall scans the resources going through HTTP and then 
either transfers them on or drops them. The traffic is never stored and 
never visible to any administrator. The only thing that is visible is a 
log saying: "User JohnSmith tried to GET resource 
https://warez.example.com/downloads/cracked_microsoft_office_2013.exe , 
which contained virus xxxxxxxxxx".   So that's metadata.  Is that OK?  I 
don't know. That's why I'm arguing for visibility of the proxy.

Same goes for a Caching proxy. As long as nobody sees the content, 
what's the harm. If the proxy is used for reading people's emails and 
social network posts, and forwarding them to the proper authorities if 
they seem too subversive, the legal and ethical concerns are different. 
This is the other reason why we need proxies to be explicitly 
configured. Without that, all of the above proxies look the same.

My company's product does not export HTTPS content. It's strictly a 
firewall, and there's no usable way to export the data. The problem is 
that there is no technical way to distinguish this kind of product from 
one that does export decrypted traffic.


Received on Wednesday, 4 December 2013 07:30:08 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:20 UTC