- From: Francois Daoust <fd@w3.org>
- Date: Mon, 21 Jul 2008 09:15:42 +0200
- To: Jo Rabin <jrabin@mtld.mobi>
- CC: "Sullivan, Bryan" <BS3131@att.com>, public-bpwg-ct@w3.org
[Apologies for the noise, re-sending this with an hyphen in ACTION-813 for the benefits of tracker] Jo Rabin wrote: > > > > On 16/07/2008 16:50, Sullivan, Bryan wrote: >> Here is my input on this subject. Overall I'm skeptical whether a >> normal HTTP proxy (as compared to a specialized client-server >> solution for CT) can reliably transform HTTPS links without a number >> of caveats and options for opt-out. > > I agree > >> >> The CT Proxy Operator needs to recognize that not only are there >> user-related security implications of rewriting HTTPS links, but >> there may be reliability-related concerns as well, such as breaking >> the trust model for server certificates and site assets trusted based >> upon the trust of the server. There may be very good reasons why the >> application itself may not work when transformed. >> >> 1) This is a fairly complex subject. The CT guidelines need to >> recognize that and not put vendors, service providers, and users in >> unchartered waters without adequate fallback/opt-out, under control >> of the: > If there is a place where it does this can you point out pls > >> >> a) CT Proxy Operator: the most common method will be the allow/deny >> lists that we have already discussed :-) >> > How CT Proxies work internally (allow/deny lists, magic, thought > transference etc.) is up to them, surely. We are interested in the > externally measurable effects, not the means to achieve them > >> b) CP: there should be a mechanism whereby the CP can indicate that a >> specific link should not be rewritten. NOTE this requires something >> in the anchor and link tags, in the page that references the HTTPS >> URI to be rewritten. > I don't think we have a mechanism by which we can achieve this. It seems > as though it might be an entry under "scope of future work". The CP can > tell if a link has been rewritten because a request for an HTTPS page > will come from a CT proxy and it can return a 406 status. > >> >> c) User: the user should be given this option/responsibility (I would >> even call it a burden to most users), only if the CT Proxy Operator >> and CP both approve operating in link-rewriting mode, for the current >> site/resource. > > That is what we suggest, isn't it? That if it happens then the user > should be informed and alternatives offered. > >> >> Other points (initial ones, for discussion): >> >> 2) to maintain security/privacy, secure resources (defined by the CP >> with having HTTPS URI) MUST be served to the user-agent over a secure >> connection > > There was something under the server response section that said that if > a request was received for an http resource but that it was not > requested in an HTTPS way then it should note this and take approriate > action. But that section is gone with the sands of time and I don't > recall why. >> >> 3) depending upon whether it is operating in transparent mode or not >> (i.e. from the user-agent perspective, whether the user-agent is >> configured to use the CT proxy as its normal HTTP proxy), the CT >> proxy will need to handle secure resource requests that are initiated >> by: a) in configured HTTP proxy mode, requests are initiated via HTTP >> CONNECT - If the CT proxy has a different address from the configured >> HTTP proxy address, the user-agent will initiate the request via the >> HTTP CONNECT method, and - If the CT proxy is an internal function >> behind a HTTP proxy front end (and operates more link a local content >> server), for already re-written URI's, the HTTP proxy would setup a >> local SSL connection to the CT proxy. - For un-rewritten URI's, >> normal behavior would have the HTTP proxy setup an SSL connection to >> the CP, bypassing the CT proxy. Only if the HTTP proxy was "CT proxy >> function-aware" would it setup an SSL connection to the CT proxy >> instead. b) in transparent HTTP proxy mode, requests are initiated >> via SSL connection (first) for URI's that the CT proxy has already >> re-written. Note that un-rewritten URI's would not be directed to the >> CT proxy unless the transparent HTTP proxy has the same "CT proxy >> function awareness" described above. > > I'm afraid I don't understand what, if any, changes you suggest. > >> >> 4) cookies must be re-written to refer to the CT proxy domain, but >> this may break some cookies (implications need to be investigated... >> It is risky just to assume there will be no side-effects) > We don't refer to cookies anywhere at all, I'd rather not do so unless > necessary. >> >> 5) Note that not all secure links can/will be re-written; only links >> that actually delivered through the CT proxy so that it has a chance >> to re-write them. There are many methods of URI discovery (email, >> SMS, MMS, WAP Push, IM, other device clients...) via which the >> browser may obtain URIs. If one of those is a secure URI, only if the >> CT proxy is configured as a normal proxy will it have a chance to >> intercept/transform the request. > > If we can steer clear of how this is all configured in the network that > would be a good thing. > >> >> 6) (5) also relates to Heiko's point about the user-agent bypassing >> the CT proxy service at some point, and not returning (since it's >> going direct from that point on). Unless the CT proxy is operating as >> a normal or transparent proxy (as compared to just a site that I >> browse to and get transformation service thru), then the user-agent >> can surf away from it and never return except by the same method it >> was originally accessed. > > I think we are looking at the case where all requests are potentially > intercepted. But again would prefer to avoid mention of the > configuration issues. > >> >> 7) Things can get really screwed up if some resources are rewritten >> and others not, e.g. with cookies and javascript functions. >> >> Separately: I think I know what is meant by "link mode" but is it a >> common term? I can't find any references to it in this sense. Do you >> mean whether the CT proxy is operating as a normal (configured) HTTP >> proxy? >> >> Bryan Sullivan | AT&T -----Original Message----- From: >> public-bpwg-ct-request@w3.org [mailto:public-bpwg-ct-request@w3.org] >> On Behalf Of Gerlach, Heiko, VF-Group Sent: Wednesday, July 16, 2008 >> 12:06 AM To: public-bpwg-ct@w3.org Subject: ACTION 813 - https link >> re-writing >> >> >> Hi All, >> >> Please see below: >> >> 3.3.6.2: New: Due to the nature of a transforming proxy, there will >> not be end to end security for HTTPS, when content transformation >> will be applied. >> >> If the response contains links whose URIs have the scheme https the >> proxy may only rewrite them so that it can transform the content, if >> it meets the following provision: >> >> If a proxy does rewrite such links, it must advise the user of the >> security implications of doing so and must provide the option to >> avoid decryption and transformation of the resources the links refer >> to, by bypassing the CT proxy for accessing the original content >> without touching the proxy. >> >> Note: If the user decides for the latter option, the session might >> never return back to content transcoding, based on the technical >> integration of the CT proxy (link mode) >> >> OPEN TO DISCUSS: How about proxy mode integration??? Do we need to >> menntion those tech integration options? >> >> >> Old: If the response contains links whose URIs have the scheme https >> the proxy may only rewrite them so that it can transform the content, >> if it meets the following provision. If a proxy does rewrite such >> links, it must advise the user of the security implications of doing >> so and must provide the option to avoid decryption and transformation >> of the resources the links refer to. >> >> >> Cheeers >> >> Heiko Gerlach Vendor Manager / Product Owner Global Consumer Internet >> Services & Platforms Tel: +49 211 820 2168 Fax: +49 211 820 2141 >> Mobile +49 172 20 40 50 7 E-Mail: heiko.gerlach@vodafone.com >> >> >> Vodafone Group Services GmbH Mannesmannufer 2, D-40213 Düsseldorf >> Amtsgericht Düsseldorf, HRB 53554 Geschäftsführung: Dr. Joachim >> Peters, Rainer Wallek >> >> >> This message and any files or documents attached are confidential and >> may also be legally privileged or protected by other legal rules. It >> is intended only for the individual or entity named. If you are not >> the named addressee or you have received this email in error, please >> inform the sender immediately, delete it from your system and do not >> copy or disclose it or its contents or use it for any purpose. Thank >> you. Please also note that transmission cannot be guaranteed to be >> secure or error- >> >> > >
Received on Monday, 21 July 2008 07:15:53 UTC