Re: Draft finding - "Transitioning the Web to HTTPS" from Martin Thomson on 2015-01-29 (www-tag@w3.org from January 2015)

From: Martin Thomson <martin.thomson@gmail.com>
Date: Wed, 28 Jan 2015 21:51:29 -0800
To: Noah Mendelsohn <nrm@arcanedomain.com>
Cc: Tim Berners-Lee <timbl@w3.org>, "Eric J. Bowman" <eric@bisonsystems.net>, Mark Watson <watsonm@netflix.com>, Henri Sivonen <hsivonen@hsivonen.fi>, Public TAG List <www-tag@w3.org>
Message-ID: <CABkgnnWOtqHPNZoVAcF8VTQeDb0tX=768ZLqhjrCqfckoX0VZA@mail.gmail.com>

On 28 January 2015 at 20:01, Noah Mendelsohn <nrm@arcanedomain.com> wrote:
> Do we have a clear answer on the technical bits: does insertion of an
> advertisement violate the technical specifications for HTTP? If so, where is
> the pertinent specification text? Thanks!

I don't think that the text of the HTTP RFC provides strong support
for the idea that a transforming proxy is legitimate.  But that might
be considered to be predicated on the concept of a proxy being
selected for that purpose.

   A proxy SHOULD NOT modify header fields that provide information
   about the endpoints of the communication chain, the resource state,
   or the selected representation (other than the payload) unless the
   field's definition specifically allows such modification or the
   modification is deemed necessary for privacy or security.

-- https://tools.ietf.org/html/rfc7230#section-5.7.2

"security" is such a nebulous term.  Besides, it's only a "SHOULD
NOT", which is trumped by "I know better (I think)".

But very few people explicitly configure a proxy.  We're really
talking about an intercepting proxy and for those the text seems
pretty negative:

   Network intermediaries are
   indistinguishable (at a protocol level) from a man-in-the-middle
   attack, often introducing security flaws or interoperability problems
   due to mistakenly violating HTTP semantics.

-- https://tools.ietf.org/html/rfc7230#section-2.3

But then there is this:

   When a registered name is used in the authority component, the "http"
   URI scheme (Section 2.7.1) relies on the user's local name resolution
   service to determine where it can find authoritative responses.

-- https://tools.ietf.org/html/rfc7230#section-9.1

I could interpret this mean that an intermediary that is identified by
name resolution is entirely authoritative.  So while I think that the
intent is to describe interception proxies as categorically bad, I
think that the text on establishing authority could be read as tacit
approval by some.

Received on Thursday, 29 January 2015 05:51:56 UTC