Re: The future of forward proxy servers in an http/2 over TLS world

On Thu, Feb 16, 2017 at 12:35 PM, Adrien de Croy <> wrote:

> Hi Tom
> the predominant use-cases are as follows.
> 1. A corporation, with many employees with computers and internet access.
> The employer doesn't want the employees spending all day on facebook,
> youtube, or other sites, unless it's the customer-support / social media
> department.
> 2. A school which doesn't want students surfing porn
> In all these cases, you have the issue of many computers, and a single
> policy.  To block in the browser requires several things, a centralised
> management of the policy, disseminated to the browserm some way of securing
> this so the users don't disable it etc.

Many browsers provide enterprise management functionality for exactly this
sort of use case.

> If on the other hand you intercept outbound connections, and force them
> through a proxy, or require use of a proxy for internet access, you can
> enforce the policy in a place that's removed from the users.
> Other features like a shared cache, AV scanning etc are also commonly used.
> Also, there are products that provide categorization of sites.  If you
> wanted to allow all sites except porn sites, and to block that in a
> browser, you would need to know what all the porn sites are.
> There are products that track this, but they are expensive, have a large
> resource footprint etc. You can't be running this on every endpoint.
> So central control is required, and this is a proxy.

Many enterprises go this route​ of using a proxy that mints certificates
and MITMs the connection to enforce policy.

Received on Thursday, 16 February 2017 21:53:06 UTC