Re: What will incentivize deployment of explicit proxies?

Hi Yoav,

When I said MITM operator, I was more referring to your customers who
deploy your product. If you had two modes of operation in your product --
MITM or explicit proxy -- which would your customers choose? What is the
incentive for them to choose eproxy? I think legal considerations may
sometimes be one of them.



On Wed, Dec 4, 2013 at 2:28 AM, Yoav Nir <> wrote:

> On 4/12/13 3:57 AM, Peter Lepeska wrote:
>> I wonder if MITM proxy operators have any legal concerns about viewing
>> content owners' traffic without their consent or even an indication that
>> the MITM is active. The proxy operators "own" their users' devices
>> presumably but not content owners' data. I think an ideal explicit proxy
>> would allow proxies to make their presence known to content owners.
>>  Hi, Peter
> Proxy vendor here. We can't make sweeping statements about legal concerns
> of proxy operators, because they vary from country to country and from
> state to state in federated countries.
> There are also many variables that may or may not be relevant legally or
> ethically. One is the question of visibility to humans. A next generation
> firewall scans the resources going through HTTP and then either transfers
> them on or drops them. The traffic is never stored and never visible to any
> administrator. The only thing that is visible is a log saying: "User
> JohnSmith tried to GET resource
> downloads/cracked_microsoft_office_2013.exe , which contained virus
> xxxxxxxxxx".   So that's metadata.  Is that OK?  I don't know. That's why
> I'm arguing for visibility of the proxy.
> Same goes for a Caching proxy. As long as nobody sees the content, what's
> the harm. If the proxy is used for reading people's emails and social
> network posts, and forwarding them to the proper authorities if they seem
> too subversive, the legal and ethical concerns are different. This is the
> other reason why we need proxies to be explicitly configured. Without that,
> all of the above proxies look the same.
> My company's product does not export HTTPS content. It's strictly a
> firewall, and there's no usable way to export the data. The problem is that
> there is no technical way to distinguish this kind of product from one that
> does export decrypted traffic.
> Yoav

Received on Wednesday, 4 December 2013 16:07:17 UTC