Re: The future of forward proxy servers in an http/2 over TLS world

On 02/15/2017 01:24 PM, Ryan Hamilton wrote:

> ​Chrome supports speaking to an HTTP proxy via TLS. However, that's not
> sufficient to display error pages in response to connect requests.

UI problems aside, it is sufficient -- the level of trust towards an
HTTPS proxy is the same as the level of trust towards an HTTPS origin
server because both destinations are (or can be) validated using the
same set of trust mechanisms. Chrome (among other browsers) just does
not want to solve the UI problems associated with handling two trusted
but different sources of information.

> the UI presented should either be:
> * Actual content from the server which has been end-to-end authenticated via a TLS connection to the origin.
> * Browser UI

This is a false dichotomy IMO. Just because a browser currently lacks a
third UI does not mean that such UI cannot be added. The HTTPS proxy has
been end-to-end authenticated via an end-to-end TLS connection just like
the origin server would have been. There is no difference there. The
only difference is the lack of a distinct-enough UI for proxy-generated

It is a difficult UI problem, but browsers, given enough motivation,
have solved plenty of difficult UI problems (or even shipped without
good solutions).


Received on Wednesday, 15 February 2017 21:14:40 UTC