Re: What will incentivize deployment of explicit proxies?

On Dec 9, 2013, at 5:17 AM, Roberto Peon <grmocg@gmail.com<mailto:grmocg@gmail.com>> wrote:




On Sun, Dec 8, 2013 at 6:33 PM, Mark Nottingham <mnot@mnot.net<mailto:mnot@mnot.net>> wrote:
This thread makes me wonder if, rather than focusing on introducing a new kind of proxy to address the “enterprise/school/prison” (ESP) use case, we* should instead focus on fixing how trust roots are configured and managed in browsers / OSs.

I say that because the requirement is already being met in the market; ESPs are able to inspect and modify traffic as it goes by on the wire by configuring a new trust root. It’s just that there are some nasty side effects brought about by that solution.

We may be able to mitigate the bad effects of the current solution — e.g., by allowing the user to understand when their browser is using a trust root that was added later (AIUI some versions of Chrome already do this visually?), by giving the user more fine-grained control over what new certificates can be used for (to address the BYOD user), etc.

If we can do that, we avoid the potential for new security choices in front of non-enterprise end users, ones that Will is justifiably nervous about (since anything that would allow a MITM warning to be clicked through is a VERY attractive attack vector).

The one thing that wouldn’t be addressed by this approach is the potential for a “semi-trusted” proxy that can see inside encryption and yet promises e2e integrity. So, to me it seems like we should be focusing on the use cases that lead us there (rather than on that particular solution, yet).

The one that’s been clearly identified is shared caching; is there another?

malware/virus scanning

+1

but then would be also other more related to network management aspect such us
modifying the flow control to improve performance is special network environments (i.e. cellular networks)

/Salvatore

Received on Thursday, 12 December 2013 15:35:47 UTC