Re: ext#9: OppSec and Proxies

On 29/07/2014 6:38 p.m., Mark Nottingham wrote:
> <https://github.com/httpwg/http-extensions/issues/9>
> 
> We discussed this issue in Toronto, and the sense of the room there was to close this issue with no action, since there are a lot of different scenarios for how a client uses a proxy, as well as different kinds of proxies which might cause clients to do different things.
> 
> Any more discussion?

If I am understanding the term "OppSec" correctly (does it still match
the millitary meaning?) then the administrators OPSEC policy itself
should be detailing these things, not HTTP spec.

All HTTP spec has to do is provide flexibility in access (CONNECT,
Upgrade, ALPN, Alt-Svc - good) and security operations (TLS, nothing,
home-grown message signatures - reasonable) which the policy selects
from. The onus is largely on implementations to retain interoperability
when such a policy prohibits or mandates certain traffic usage (within
HTTP spec).

For example Chrome by rejecting CONNECT+Upgrade and plain-text HTTP/2
has effectively omitted itself from several OpSec policy groups which
require open and/or recorded traffic within a network. The jail and
school controlled-network scenarios being the most well-known of these.

Amos

Received on Tuesday, 29 July 2014 11:31:16 UTC