IETF Logo Mail Archive

Re: The future of forward proxy servers in an http/2 over TLS world

Alex Rousskov <rousskov@measurement-factory.com> Mon, 27 February 2017 17:44 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 172A012A297 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 27 Feb 2017 09:44:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.922
X-Spam-Level:
X-Spam-Status: No, score=-6.922 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id olFvPx0Gya1q for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 27 Feb 2017 09:44:54 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9B45F12A2B2 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 27 Feb 2017 09:44:49 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1ciPHr-0002OK-0Y for ietf-http-wg-dist@listhub.w3.org; Mon, 27 Feb 2017 17:40:39 +0000
Resent-Date: Mon, 27 Feb 2017 17:40:39 +0000
Resent-Message-Id: <E1ciPHr-0002OK-0Y@frink.w3.org>
Received: from titan.w3.org ([128.30.52.76]) by frink.w3.org with esmtps (TLS1.2:RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <rousskov@measurement-factory.com>) id 1ciPHi-0002NN-RR for ietf-http-wg@listhub.w3.org; Mon, 27 Feb 2017 17:40:30 +0000
Received: from mail.measurement-factory.com ([104.237.131.42]) by titan.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from <rousskov@measurement-factory.com>) id 1ciPHc-0001Hf-GI for ietf-http-wg@w3.org; Mon, 27 Feb 2017 17:40:25 +0000
Received: from [65.102.233.169] (unknown [65.102.233.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.measurement-factory.com (Postfix) with ESMTPSA id 95291E037; Mon, 27 Feb 2017 17:40:01 +0000 (UTC)
To: ietf-http-wg@w3.org
References: <emde1bfa93-84c0-49f7-83a4-b9bed24e0276@bodybag> <CA+3+x5GV9MdYOP3gHLABe+=GVVKf7ugbMWHquuzVHGCbwY-s5w@mail.gmail.com> <44039619.275607.1487333645445.JavaMail.zimbra@laposte.net> <E5473FDB-0CBE-43F4-A5B3-7FF36DEAB32B@squid-cache.org> <CABCZv0rsRLSsvMTzPZV7szr8zvZ45BZ=prSEWprhuvTzmQwEXg@mail.gmail.com> <09372BCC-2F37-4B92-96AF-09EB277B518B@mnot.net>
From: Alex Rousskov <rousskov@measurement-factory.com>
Cc: Mark Nottingham <mnot@mnot.net>
Message-ID: <717c7269-d9b9-4ba6-7e1a-56f31ad4dc98@measurement-factory.com>
Date: Mon, 27 Feb 2017 10:40:01 -0700
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101 Thunderbird/45.7.0
MIME-Version: 1.0
In-Reply-To: <09372BCC-2F37-4B92-96AF-09EB277B518B@mnot.net>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
Received-SPF: pass client-ip=104.237.131.42; envelope-from=rousskov@measurement-factory.com; helo=mail.measurement-factory.com
X-W3C-Hub-Spam-Status: No, score=-4.4
X-W3C-Hub-Spam-Report: AWL=-0.537, BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: titan.w3.org 1ciPHc-0001Hf-GI 9f61a2b7f808ee486384c6c66c290631
X-Original-To: ietf-http-wg@w3.org
Subject: Re: The future of forward proxy servers in an http/2 over TLS world
Archived-At: <http://www.w3.org/mid/717c7269-d9b9-4ba6-7e1a-56f31ad4dc98@measurement-factory.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/33622
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On 02/26/2017 06:50 PM, Mark Nottingham wrote:

> What I'm hearing from the discussion is that [...] *any* ability to
> indicate the real nature of the problem would help avoid deploying
> more MitM

> The sweet spot sounds like it needs to balance the network 
> administrator's desire to convey the reason and their identity with
> the browser vendors' need to minimise the new surface area exposed,
> as well as resources to implement.

> I wrote that draft with that in mind -- happy to change the details. 

I do not know how to phrase this so that it does not sound unnecessary
harsh, but it feels like you are hearing what you want to hear (i.e.,
what your draft enables): On this thread, I have heard virtually no
reasonable justification for limiting the proxy error vocabulary.

Yes, several folks shared stories about those old browser bugs and were
justifiably worried about the dangers of incorrectly presenting
from-proxy content. And yes, one person said that he is going to
recommend FireFox because that browser reveals a tiny bit more about the
error, but there is a huge gap between all that and a claim that a
limited vocabulary would both alleviate those fears and address enough
use cases IMHO.

This is not meant as an attack of some sort. I am only claiming that
there is currently no consensus about or even rational justification for
the limited vocabulary (and the latest example with a plain text phone
number is a good illustration why there should not be). I am worried
that if we push limited vocabulary as The Solution, and browsers
painfully implement that, but the volume of needless MitM attacks does
not go down substantially (because limited vocabulary is not The
Solution), then we will be in an even worse position than we are today.


Thank you,

Alex.

v2.23.0 | Report a Bug | By Email