- From: Adrien de Croy <adrien@qbik.com>
- Date: Fri, 17 Feb 2017 04:47:43 +0000
- To: "Ryan Hamilton" <rch@google.com>
- Cc: "Tom Bergan" <tombergan@chromium.org>, "Alex Rousskov" <rousskov@measurement-factory.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
- Message-Id: <emf5ba02d6-f342-4428-bb32-2dfb394862f0@bodybag>
------ Original Message ------ From: "Ryan Hamilton" <rch@google.com> >On Thu, Feb 16, 2017 at 12:35 PM, Adrien de Croy <adrien@qbik.com> >wrote: >> >>Hi Tom >> >>the predominant use-cases are as follows. >> >>1. A corporation, with many employees with computers and internet >>access. The employer doesn't want the employees spending all day on >>facebook, youtube, or other sites, unless it's the customer-support / >>social media department. >> >>2. A school which doesn't want students surfing porn > obviously there are many other use cases as well. > >>In all these cases, you have the issue of many computers, and a single >>policy. To block in the browser requires several things, a >>centralised management of the policy, disseminated to the browserm >>some way of securing this so the users don't disable it etc. > >Many browsers provide enterprise management functionality for exactly >this sort of use case. yes, but most deployment situations involve many different platforms and browsers. The proxy solution works for all, does not suffer from version hell with incompatible browser updates etc. > >>If on the other hand you intercept outbound connections, and force >>them through a proxy, or require use of a proxy for internet access, >>you can enforce the policy in a place that's removed from the users. >> >>Other features like a shared cache, AV scanning etc are also commonly >>used. >> >>Also, there are products that provide categorization of sites. If you >>wanted to allow all sites except porn sites, and to block that in a >>browser, you would need to know what all the porn sites are. >> >>There are products that track this, but they are expensive, have a >>large resource footprint etc. You can't be running this on every >>endpoint. >> >>So central control is required, and this is a proxy. > >Many enterprises go this route of using a proxy that mints >certificates and MITMs the connection to enforce policy. > They do, but I'm not even talking about this. The question was about whether control should be in the UA or a proxy. If I look back over the last couple of years, all the time we have recommended using MitM to customers is for dealing with this specific issue. No other issue. They aren't by and large asking us how do we cache https sites, they are asking us how can we show proper block pages for https sites. Adrien >
Received on Friday, 17 February 2017 04:48:21 UTC