Re: Some proxy needs

"Nicolas Mailhot" <nicolas.mailhot@laposte.net> Sun, 08 April 2012 20:03 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 60AE421F84EE for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 8 Apr 2012 13:03:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.47
X-Spam-Level:
X-Spam-Status: No, score=-10.47 tagged_above=-999 required=5 tests=[AWL=0.129, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xwuwXMPfn2fJ for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 8 Apr 2012 13:03:41 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id BB24821F84DE for <httpbisa-archive-bis2Juki@lists.ietf.org>; Sun, 8 Apr 2012 13:03:41 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.69) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1SGyJj-00079u-SB for ietf-http-wg-dist@listhub.w3.org; Sun, 08 Apr 2012 20:02:31 +0000
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.69) (envelope-from <nicolas.mailhot@laposte.net>) id 1SGyJa-000793-Bd for ietf-http-wg@listhub.w3.org; Sun, 08 Apr 2012 20:02:22 +0000
Received: from smtpout1.laposte.net ([193.253.67.226] helo=smtpout.laposte.net) by lisa.w3.org with esmtp (Exim 4.72) (envelope-from <nicolas.mailhot@laposte.net>) id 1SGyJX-00052g-6F for ietf-http-wg@w3.org; Sun, 08 Apr 2012 20:02:20 +0000
Received: from arekh.dyndns.org ([88.174.226.208]) by mwinf8501-out with ME id vY1s1i0044WQcrc03Y1s7B; Sun, 08 Apr 2012 22:01:53 +0200
Received: from localhost (localhost.localdomain [127.0.0.1]) by arekh.dyndns.org (Postfix) with ESMTP id 866D93283; Sun, 8 Apr 2012 22:01:52 +0200 (CEST)
X-Virus-Scanned: amavisd-new at arekh.dyndns.org
Received: from arekh.dyndns.org ([127.0.0.1]) by localhost (arekh.okg [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xRMw8U9MxUKp; Sun, 8 Apr 2012 22:01:50 +0200 (CEST)
Received: from arekh.dyndns.org (localhost.localdomain [127.0.0.1]) by arekh.dyndns.org (Postfix) with ESMTP; Sun, 8 Apr 2012 22:01:49 +0200 (CEST)
Received: from 192.168.0.4 (SquirrelMail authenticated user nim) by arekh.dyndns.org with HTTP; Sun, 8 Apr 2012 22:01:50 +0200
Message-ID: <4d2620885d1dab5c52de68b1a4aafabd.squirrel@arekh.dyndns.org>
In-Reply-To: <81695.1333888911@critter.freebsd.dk>
References: <81695.1333888911@critter.freebsd.dk>
Date: Sun, 08 Apr 2012 22:01:50 +0200
From: Nicolas Mailhot <nicolas.mailhot@laposte.net>
To: Poul-Henning Kamp <phk@phk.freebsd.dk>
Cc: Nicolas Mailhot <nicolas.mailhot@laposte.net>, ietf-http-wg@w3.org
User-Agent: SquirrelMail/1.4.22-7.fc18
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Received-SPF: pass client-ip=193.253.67.226; envelope-from=nicolas.mailhot@laposte.net; helo=smtpout.laposte.net
X-W3C-Hub-Spam-Status: No, score=-1.9
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01
X-W3C-Scan-Sig: lisa.w3.org 1SGyJX-00052g-6F 8538463323631363e652d0dcf6d4871e
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Some proxy needs
Archived-At: <http://www.w3.org/mid/4d2620885d1dab5c52de68b1a4aafabd.squirrel@arekh.dyndns.org>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/13405
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Resent-Message-Id: <E1SGyJj-00079u-SB@frink.w3.org>
Resent-Date: Sun, 08 Apr 2012 20:02:31 +0000

Le Dim 8 avril 2012 14:41, Poul-Henning Kamp a écrit :

>>4. A way to inspect most of the client communication for malware. I say most
>>because :
>
> If the site policy is "everything gets inspected", the protocol must support
> that, either by allowing inspection, or by preventing the communication.
>
> It site administrators choose not to, because of sound use of
> decretion/legally requiments etc, that is not a relevant factor in
> the standardization.

Real-world is not black-and-white. A big proxy setup is a compromise between
what the security people want (inspect everything for malware) and the user
happiness (some privacy). For some kinds of web sites the legal risks of
inspecting will outweigh the legal risks of not inspecting (user bank accesses
almost certainly fall there). That only reflects the ambivalence of general
law on this subject. Any law-abiding operator will try to match law as much as
possible.

Exceptions that won't be inspected even though the general policy is to
inspect will always be a minority because setting up exception lists is
administrative hell but the protocols should permit such lists to be put in
place.

Like Willy wrote previously, a typical proxy setup is a tiered config of
general rules, positive exceptions (do it even though the general rules say
you should not), and negative exceptions (don't do it anyway). There is no
reason choosing to inspect or not encrypted coms won't be handled the same
way.

Regards,

-- 
Nicolas Mailhot