Re: The future of forward proxy servers in an http/2 over TLS world from Adrien de Croy on 2017-02-15 (ietf-http-wg@w3.org from January to March 2017)

From: Adrien de Croy <adrien@qbik.com>
Date: Wed, 15 Feb 2017 20:17:39 +0000
To: "Adrien de Croy" <adrien@qbik.com>, "Patrick McManus" <mcmanus@ducksong.com>
Cc: "Kari Hurtta" <hurtta-ietf@elmme-mailer.org>, "HTTP working group mailing list" <ietf-http-wg@w3.org>
Message-Id: <emf8f3d2c3-69cb-4ebb-ba7b-2e263dea1f15@bodybag>

------ Original Message ------
From: "Adrien de Croy" <adrien@qbik.com>

>
>yes, that's what caused the problem in the first place, and until we 
>trust the proxy I don't think we'll move on from there.
>
>Which means the connection to the proxy needs to be TLS.

or at the very least the response message from the proxy needs to be 
digitally signed.  I could understand why a browser may not wish to have 
2 TLS layers going on at the same time.

Adrien


>
>
>We already support this with WinGate and I've verified it with Chrome 
>and Firefox.  In that case couldn't the client trust an error response 
>body from CONNECT?
>
>Adrien
>
>
>------ Original Message ------
>From: "Patrick McManus" <mcmanus@ducksong.com>
>To: "Adrien de Croy" <adrien@qbik.com>
>Cc: "Kari Hurtta" <hurtta-ietf@elmme-mailer.org>; "HTTP working group 
>mailing list" <ietf-http-wg@w3.org>
>Sent: 16/02/2017 9:08:16 AM
>Subject: Re: The future of forward proxy servers in an http/2 over TLS 
>world
>
>>there is no firefox support for that right now. It would require a 
>>convincing UI and probably interest from another client to proceed 
>>with. The concern is obviously some kind of phish mitm any time you 
>>are asked to display https and you display anything not authenticated 
>>by that origin.
>>
>>
>>On Wed, Feb 15, 2017 at 3:02 PM, Adrien de Croy <adrien@qbik.com> 
>>wrote:
>>>
>>>Thanks for that
>>>
>>>looks like I already knew about it lol.
>>>
>>>Do we have any idea about whether this has browser support, I assume 
>>>FF so far only?
>>>
>>>Adrien
>>>
>>>
>>>------ Original Message ------
>>>From: "Kari Hurtta" <hurtta-ietf@elmme-mailer.org>
>>>To: "Adrien de Croy" <adrien@qbik.com>
>>>Cc: "HTTP working group mailing list" <ietf-http-wg@w3.org>; "Kari 
>>>Hurtta" <hurtta-ietf@elmme-mailer.org>
>>>Sent: 16/02/2017 8:31:25 AM
>>>Subject: Re: The future of forward proxy servers in an http/2 over 
>>>TLS world
>>>
>>>>>  This means we have a need to be able to respond to CONNECT with a
>>>>>  denial, and some kind of message that can be displayed to the 
>>>>>user.
>>>>
>>>>Maybe
>>>>
>>>>https://tools.ietf.org/id/draft-nottingham-proxy-explanation-00.txt 
>>>><https://tools.ietf.org/id/draft-nottingham-proxy-explanation-00.txt>
>>>>
>>>>
>>>>https://lists.w3.org/Archives/Public/ietf-http-wg/2016JulSep/0390.html 
>>>><https://lists.w3.org/Archives/Public/ietf-http-wg/2016JulSep/0390.html>
>>>>
>>>>https://bugzilla.mozilla.org/show_bug.cgi?id=637619#c31 
>>>><https://bugzilla.mozilla.org/show_bug.cgi?id=637619#c31>
>>>>
>>>>https://lists.w3.org/Archives/Public/ietf-http-wg/2016JulSep/0419.html 
>>>><https://lists.w3.org/Archives/Public/ietf-http-wg/2016JulSep/0419.html>
>>>>
>>>>/ Kari Hurtta
>>>>
>>>
>>>
>>

Received on Wednesday, 15 February 2017 20:18:18 UTC