W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2014

Re: Trusted proxy UI redux

From: Patrick McManus <pmcmanus@mozilla.com>
Date: Tue, 24 Jun 2014 11:35:17 -0400
Message-ID: <CAOdDvNpK8G6Bpu20moJVS3NomuP_5C89TCt=90RfXTmvzRkkew@mail.gmail.com>
To: Peter Lepeska <bizzbyster@gmail.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
On Tue, Jun 24, 2014 at 10:43 AM, <bizzbyster@gmail.com> wrote:

> I wonder if the browser guys can weigh in on this. Martin, Patrick, Will,
> Rob? Others? Do you agree that our choices are as follows?
> 1) Do nothing. This is today's MITM with user installed CAs.
> 2) Some type of trusted proxy UI support that gives the user notification
> and control. Something similar to this:
> http://caffeinatetheweb.com/presentations/trusted_proxy.html#/.
> 3) Disable all mechanisms for HTTPS decryption by proxies (for instance,
> enforce pinned certs)
I think its inevitable that different parties will make different choices
and some of those choices won't be on your list. This is because there
isn't a critical mass of people that have come together in order to agree
to a path for this problem in this forum.

> Do you agree that #3 is not an option b/c browsers will immediately stop
> working for a large number of corporate users?

Some variation of #3 is definitely an option. They all have ups and downs.

> And that #2 is an improvement over #1 since it does not increase security
> vulnerability but gives user some visibility and control?
in some aspects its better - but its not strictly better. #1 is generally
done with administrative control of the OS which is a protection #2 does
not have.

I'm not convinced that a "make my internet work" button qualifies as
visibility or control or that consent can be meaningful in this context. I
don't have an alternative.

As others have pointed out,  this may not actually be an HTTPbis protocol
> issue.

I agree that it is fruitless to be talking about it in this space which is
why I haven't expended a lot of energy on it right now and don't intend to
fill my days replying to the various threads.

This discussion will boil down to "I want my MITM model to do something
noble vs I want two-party privacy" and each side sees massive potential for
misuse of the other side's position (one side has spying/secret
theft/tracking/big-data/security injection concerns, the other DLP,
viruses, the detection of bit patterns prohibited by law, etc.. both have
clear precedent in practice.). This isn't to say there is or isn't trust
among the players in this discussion but they of course won't be the only
implementers at the end of the day.

Received on Tuesday, 24 June 2014 15:35:45 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:31 UTC