- From: Peter Lepeska <bizzbyster@gmail.com>
- Date: Wed, 4 Dec 2013 11:06:50 -0500
- To: Yoav Nir <synp71@live.com>
- Cc: William Chan (ιζΊζ) <willchan@chromium.org>, HTTP Working Group <ietf-http-wg@w3.org>
- Message-ID: <CANmPAYGpJyyDsgiFVMH37yGfuQHh4xiDTiBWTJCO6qEFUoe51g@mail.gmail.com>
Hi Yoav, When I said MITM operator, I was more referring to your customers who deploy your product. If you had two modes of operation in your product -- MITM or explicit proxy -- which would your customers choose? What is the incentive for them to choose eproxy? I think legal considerations may sometimes be one of them. Thanks, Peter On Wed, Dec 4, 2013 at 2:28 AM, Yoav Nir <synp71@live.com> wrote: > On 4/12/13 3:57 AM, Peter Lepeska wrote: > >> >> >> I wonder if MITM proxy operators have any legal concerns about viewing >> content owners' traffic without their consent or even an indication that >> the MITM is active. The proxy operators "own" their users' devices >> presumably but not content owners' data. I think an ideal explicit proxy >> would allow proxies to make their presence known to content owners. >> >> Hi, Peter > > Proxy vendor here. We can't make sweeping statements about legal concerns > of proxy operators, because they vary from country to country and from > state to state in federated countries. > > There are also many variables that may or may not be relevant legally or > ethically. One is the question of visibility to humans. A next generation > firewall scans the resources going through HTTP and then either transfers > them on or drops them. The traffic is never stored and never visible to any > administrator. The only thing that is visible is a log saying: "User > JohnSmith tried to GET resource https://warez.example.com/ > downloads/cracked_microsoft_office_2013.exe , which contained virus > xxxxxxxxxx". So that's metadata. Is that OK? I don't know. That's why > I'm arguing for visibility of the proxy. > > Same goes for a Caching proxy. As long as nobody sees the content, what's > the harm. If the proxy is used for reading people's emails and social > network posts, and forwarding them to the proper authorities if they seem > too subversive, the legal and ethical concerns are different. This is the > other reason why we need proxies to be explicitly configured. Without that, > all of the above proxies look the same. > > My company's product does not export HTTPS content. It's strictly a > firewall, and there's no usable way to export the data. The problem is that > there is no technical way to distinguish this kind of product from one that > does export decrypted traffic. > > Yoav > > > > >
Received on Wednesday, 4 December 2013 16:07:17 UTC