Re: new version trusted-proxy20 draft from Amos Jeffries on 2014-02-26 (ietf-http-wg@w3.org from January to March 2014)

From: Amos Jeffries <squid3@treenet.co.nz>
Date: Thu, 27 Feb 2014 11:50:02 +1300
To: ietf-http-wg@w3.org
Message-ID: <a590aee5bce069bc0b688b1834023714@treenet.co.nz>
There is likewise a small but very real amount of https:// schemed 
traffic happening over TCP (non-TLS) ports to proxies. For the cases 
where the proxy is performing the TLS connectivity on behalf of the 
client UA.

Amos


On 2014-02-27 05:23, William Chan wrote:
> Yes there is. It's pretty negligible though. One example is that 
> Patrick's
> been running experiments. There are some older examples with Chromium. 
> I
> don't know if there's any actual traffic though:
> http://www.stefanwille.com/2013/04/using-spdy-with-nginx-1-4/.
> 
> 
> On Wed, Feb 26, 2014 at 8:15 AM, Peter Lepeska wrote:
> 
>> "That's false, but pretty close to true, so I'll ignore it."
>> 
>> Are you referring to the traffic that is HTTP-schemed but connected to 
>> a
>> secure proxy over TLS as per the other thread? Is there any 
>> non-proxied
>> http-schemed traffic running over TLS currently?
>> 
>> Thanks!
>> 
>> Peter
>> 
>> 
>> On Wed, Feb 26, 2014 at 11:12 AM, William Chan (陈智昌) <
>> willchan@chromium.org> wrote:
>> 
>>> That's false, but pretty close to true, so I'll ignore it. In any 
>>> case,
>>> it depends if opportunistic encryption takes off. I think Patrick was
>>> experimenting on this in collaboration with mnot@. I expect we'll 
>>> hear
>>> an update in London, and perhaps have some more discussion on the 
>>> topic.
>>> 
>>> 
>>> On Wed, Feb 26, 2014 at 5:10 AM, Peter Lepeska 
>>> <bizzbyster@gmail.com>wrote:
>>> 
>>>> Okay. But currently no "http"-schemed traffic runs over TLS. Do we 
>>>> think
>>>> this will account for a significant portion of web traffic in the 
>>>> future?
>>>> 
>>>> 
>>>> On Tue, Feb 25, 2014 at 9:35 PM, Jeff Pinner 
>>>> <jpinner@twitter.com>wrote:
>>>> 
>>>>> Currently, "http" and "https" conflate the browser security model 
>>>>> with
>>>>> the transport security model. The "https" browser security model 
>>>>> might not
>>>>> be acceptable for certain resources even if the transport security 
>>>>> model is
>>>>> preferable.
>>>>> 
>>>>> 
>>>>> On Tue, Feb 25, 2014 at 5:09 PM, Peter Lepeska 
>>>>> <bizzbyster@gmail.com>wrote:
>>>>> 
>>>>>> Hi Salvatore,
>>>>>> 
>>>>>> As you know, I'm all for new proposals that support both Secure 
>>>>>> Proxy
>>>>>> and Trusted Proxy. So thanks for writing and posting this. I'm 
>>>>>> struggling
>>>>>> to understanding how http URIs over TLS work as described in your 
>>>>>> draft. My
>>>>>> main question is:
>>>>>> 
>>>>>> If the content server supports authenticated TLS, then why isn't 
>>>>>> the
>>>>>> content just hosted via "https"-schemed URIs? What is the reason 
>>>>>> that the
>>>>>> content server would make this content available via http schemes?
>>>>>> 
>>>>>> Thanks,
>>>>>> 
>>>>>> Peter
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> On Tue, Feb 25, 2014 at 10:31 AM, Ryan Hamilton 
>>>>>> <rch@google.com>wrote:
>>>>>> 
>>>>>>> I think that Will is supportive of secure proxies as he said 
>>>>>>> upthread:
>>>>>>> 
>>>>>>> Let's be clear, these are two different things. There's "secure 
>>>>>>> proxy"
>>>>>>> which is securing the connection between the proxy and the 
>>>>>>> client. I'm
>>>>>>> supportive of standardizing this.
>>>>>>> 
>>>>>>> 
>>>>>>> Chrome currently supports specifying such proxies via pac files:
>>>>>>> 
>>>>>>> http://www.chromium.org/developers/design-documents/secure-web-proxy
>>>>>>> 
>>>>>>> 
>>>>>>> Cheers,
>>>>>>> 
>>>>>>> Ryan
>>>>>>> 
>>>>>>> 
>>>>>>> On Tue, Feb 25, 2014 at 1:40 AM, Roland Zink <roland@zinks.de> 
>>>>>>> wrote:
>>>>>>> 
>>>>>>>> On 24.02.2014 22:25, William Chan (陈智昌) wrote:
>>>>>>>> 
>>>>>>>>> I've asked this before, and I still think it's a reasonable
>>>>>>>>> question.
>>>>>>>>> Is there another vendor that wants to interop with this kind of
>>>>>>>>> proxy?
>>>>>>>>> I'm asking this because I think that the purpose of 
>>>>>>>>> standardizing
>>>>>>>>> such
>>>>>>>>> a proposal is for interoperability across vendors, and I don't 
>>>>>>>>> see
>>>>>>>>> the
>>>>>>>>> point if the only implementations are Ericsson. But I may be
>>>>>>>>> misunderstanding IETF policy here.
>>>>>>>>> 
>>>>>>>> There are other implementations of "secure proxies" like Chrome 
>>>>>>>> on
>>>>>>>> Android can use a Google proxy. Why should a user trust the 
>>>>>>>> Google proxy
>>>>>>>> more than a proxy from <insert your favorite mobile network 
>>>>>>>> operator>? An
>>>>>>>> interoperability would be good.
>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>> 
>>>>>> 
>>>>> 
>>>> 
>>> 
>>
Received on Wednesday, 26 February 2014 22:50:30 UTC