W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2014

Re: new version trusted-proxy20 draft

From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Date: Mon, 24 Feb 2014 11:00:49 +0200
To: Salvatore Loreto <salvatore.loreto@ericsson.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <20140224090049.GA9816@LK-Perkele-VII>
On Fri, Feb 14, 2014 at 06:56:14PM +0000, Salvatore Loreto wrote:
> 
> URL:            http://www.ietf.org/internet-drafts/draft-loreto-httpbis-trusted-proxy20-01.txt

Some comments:

1) As others have said, unnecressarily admitting to possible attackers
that connections aren't really protected is not a good idea.

2) The downgrade to HTTP/1.1 for proxy setup looks really odd, and
should be over TLS too.

3) Leaving manual configuration aside, there is certain merit to the
idea that network is able to force a proxy. OTOH, the arising security
issues aren't trivial (understatement).

4) One idea would be h2p / h2pxy / h2proxy protocol, which would be
HTTP/2 with some extensions for proxy operation, like additional
response codes, proxy being able to respond for itself, browser being
able to send request to proxy, proxy relaying certificate info, etc...

5) Regarding to usescases, protocol conforming to principle of
least priviledge and accomodiating all or even most of those (goes
up to "Tom's Rural broadband" right now) would likely be hideously
complicated mess of crypto.

6) Because of the last, one is pretty much limited to no trust (CONNECT)
or full trust (GET/POST/PUT).


-Ilari
Received on Monday, 24 February 2014 09:01:13 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:24 UTC