W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2014

Re: ext#9: OppSec and Proxies

From: Martin Thomson <martin.thomson@gmail.com>
Date: Tue, 29 Jul 2014 09:23:48 -0700
Message-ID: <CABkgnnU2EDxvy3qmaU53Mh_4iipDd738QFdHcHfo63r+z1_6Aw@mail.gmail.com>
To: "emile.stephan@orange.com" <emile.stephan@orange.com>
Cc: "Mark Nottingham (mnot@mnot.net)" <mnot@mnot.net>, "HTTP Working Group (ietf-http-wg@w3.org)" <ietf-http-wg@w3.org>
On 29 July 2014 08:46,  <emile.stephan@orange.com> wrote:
> Currently a mobile client can already OppSec connect to performance proxies
> (Google DCP and Opera cases were discussing in meeting) hosted on the
> Internet, but one at a time.

This isn't really opportunistic; these proxies are typically
configured based on a name or a certificate fingerprint.  That's a
different proposition that what we're talking about here.

That said, I think that we need to examine the trade-offs when we talk
about securing proxy communications.  With HTTP/2 to the proxy, we can
use ALTSVC frames (though not Alt-Svc header fields) to enable
opportunistic security if we are very careful.  But it might be easier
on balance to simply say that the proxy is configured to use an TLS
connection that is authenticated against a specific name.  e.g.,
rather than saying the proxy is at http://proxy.orange.com, say that
it is at https://proxy.orange.com
Received on Tuesday, 29 July 2014 16:24:15 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:37 UTC