Re: What will incentivize deployment of explicit proxies?

+1 with Nicolas view below, 
I also think we should work on a smart and secure auto configuration mechanism

I do think we should still have the distinction between HTTP and HTTPS resources in HTTP/2.0 no matter if 2.0 only runs on TLS.
Indeed in my view only HTTP resources' requests will be routed through the 'explicit proxy' (if there is one, and the user has opt-in or not decided to opt-out… tbd)
while all the secure HTTPS resources' requests will be always routed directly from the browser to the destination (i.e. content provider network), bypassing the explicit proxy
exactly as it happens nowadays whenever you have accepted to use the "Google Data Compression Proxy" for Chrome.


On Dec 4, 2013, at 11:34 AM, Nicolas Mailhot <> wrote:

> Le Mer 4 décembre 2013 01:22, William Chan (陈智昌) a écrit :
>> OK, it sounds like people are retreating back from the
>> autoconfiguration+interstitial part of an explicit proxy proposal...except
>> maybe Nicholas? I'd love to hear more thoughts on
>> autoconfiguration+interstitial. It sounds like the prevailing sentiment is
>> it's unacceptable from a security UX perspective.
> I think autoconfiguration and explicit are completely orthogonal problems
> Explicit (in the sense the user knows a gateway is in use, can inspect the
> gateway settings, and can refuse to use it) is absolutely required for
> security reasons.
> That does not mean the set up of this gateway can't be automated. The
> decision needs to be left to humans. The plumbing, to software & protocol.
> -- 
> Nicolas Mailhot

Received on Wednesday, 4 December 2013 15:01:02 UTC