Re: The future of forward proxy servers in an http/2 over TLS world

Hi,

I'll answer once, because every single long timer in the list is sick to death of browser/privacy people asking "why" every couple of months, with accusing/unkind/moralistic vocabulary, and then going AWOL as soon as the presented facts do not go their way.

Aside from special professions where monitoring and eventually blocking is a legal requirement, blocking at the proxy level is just a matter of network scale for corporations.

The biggest your private network is, the less you are able to control individual endpoints, because there are too many of them, they break down and are replaced all the time, and they are increasingly diverse, from desktops to laptops to tablets to smartphones to printers to appliances to the connected lightbub some idiot brought to impress his boss with software-controlled colours. Plus if your org is big enough you get visitors with their own hardware, BYOD hardware to (supposedly) cut IT support costs, etc, etc. So forget about any mechanism that requires installing specific software addons endpoint-side.

The biggest your private network is, the more likely you have somewhere a business-critical function deployed on a badly secured system (mistakes happen, contractors can be incompetent or careless, gray IT is a fact of life). So you need to protect this network, it's not just an Internet extension.

The biggest your private network is, the more likely *bignumber* of users slacking and watching cat videos on youtube will translate in expensive network upgrades, including paying civil works to lay down new dark fiber to your premises. Civil works that business units will refuse to pay, since no one managed to write a convincing business plan that includes watching cat videos so far. (The ways CDNS and systematic encryption have killed any hope of caching at the gateway does not help either). As a bonus the very same business units will hang you dry because you let this traffic saturate links that were needed for business functions.

Educating people properly, fixing every system, getting IT support to audit, configure and fix every possible endpoint, has prohibitive costs, and would bring down the company velocity to a halt. Not every company can afford a workforce composed exclusively of bright-eyed responsible up to date computer scientists. Not every company can afford to design its own hardware and desktop software that it is sure of (besides, don't forget the lightbulbs). Most companies can not airgap every critical system (the other armchair answer to security problems). There are too many of them, they change all the time, they are all networked right and left.

So you try to limit the breakage, by forcing all your outbound traffic through a gateway, and blocking at that gateway anything likely to generate non-business-related high level of traffic, and anything linked to security attacks. Which requires subscribing to expensive web reputation services, listening hard to the notifications of your country's cyber command (aka your spooks), etc

If you're nice you can rate-limit non business-critical traffic instead of blocking it, but that still requires identifying this traffic at the gateway (layer-7 URL matching, because who wants to track what is akamai's, youtube's, etc ip plan today).

So there *is* blocking at the gateway level, there *will* *be* blocking at the gateway level, the question is not whether this blocking should exist or not, but if the user experience can be made less miserable than it is today because of unilateral browser changes.

Regards, 

-- 
Nicolas Mailhot

Received on Friday, 17 February 2017 12:14:35 UTC