Re: The future of forward proxy servers in an http/2 over TLS world
"Adrien de Croy" <adrien@qbik.com> Fri, 17 February 2017 05:08 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B762F129892 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 16 Feb 2017 21:08:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.901
X-Spam-Level:
X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zUp9vmaIiZHg for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 16 Feb 2017 21:08:26 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1057C1293E1 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Thu, 16 Feb 2017 21:08:25 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1ceakE-0006ox-Ah for ietf-http-wg-dist@listhub.w3.org; Fri, 17 Feb 2017 05:06:10 +0000
Resent-Date: Fri, 17 Feb 2017 05:06:10 +0000
Resent-Message-Id: <E1ceakE-0006ox-Ah@frink.w3.org>
Received: from mimas.w3.org ([128.30.52.79]) by frink.w3.org with esmtps (TLS1.2:RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <adrien@qbik.com>) id 1ceak9-0006oA-Tg for ietf-http-wg@listhub.w3.org; Fri, 17 Feb 2017 05:06:05 +0000
Received: from smtp.qbik.com ([122.56.26.1]) by mimas.w3.org with esmtps (TLS1.2:ECDHE_RSA_ARCFOUR_128_SHA1:128) (Exim 4.84_2) (envelope-from <adrien@qbik.com>) id 1ceak2-0008KC-Sx; Fri, 17 Feb 2017 05:06:00 +0000
Received: From [192.168.1.146] (unverified [192.168.1.146]) by SMTP Server [192.168.1.3] (WinGate SMTP Receiver v9.0.4 (Build 5915)) with SMTP id <0000966771@smtp.qbik.com>; Fri, 17 Feb 2017 18:05:28 +1300
From: Adrien de Croy <adrien@qbik.com>
To: Kari Hurtta <hurtta-ietf@elmme-mailer.org>, HTTP working group mailing list <ietf-http-wg@w3.org>
Cc: Kari Hurtta <hurtta-ietf@elmme-mailer.org>, Ryan Hamilton <rch@google.com>, HTTP working group mailing list <ietf-http-wg@w3.org>
Date: Fri, 17 Feb 2017 05:05:28 +0000
Message-Id: <emc8dbe08a-a3c7-4107-9839-4eef8db65d47@bodybag>
In-Reply-To: <20170217045246.798E51B04D@welho-filter2.welho.com>
References: <em2b16b855-c719-422a-9488-6c34893e2432@bodybag> <20170217045246.798E51B04D@welho-filter2.welho.com>
Reply-To: Adrien de Croy <adrien@qbik.com>
User-Agent: eM_Client/7.0.27943.0
Mime-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass client-ip=122.56.26.1; envelope-from=adrien@qbik.com; helo=smtp.qbik.com
X-W3C-Hub-Spam-Status: No, score=-4.6
X-W3C-Hub-Spam-Report: AWL=-0.666, BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1ceak2-0008KC-Sx 4034c53cf11f349cfb30881b33555bc2
X-Original-To: ietf-http-wg@w3.org
Subject: Re: The future of forward proxy servers in an http/2 over TLS world
Archived-At: <http://www.w3.org/mid/emc8dbe08a-a3c7-4107-9839-4eef8db65d47@bodybag>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/33566
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
I fail to see what a side-channel would even add in this case. There's already communication between the client and the proxy. It's the CONNECT request message and its response. It was the abandonment of that response in non-200 cases that led to the need to deploy MitM. It was deemed easier to just do this, rather than code a browser to not follow a 30x response to CONNECT or to not display working forms from 403 response bodies to CONNECT requests. The phishing argument gets wheeled out every time, but it doesn't hold water for a second. A browser displaying a form and performing its action does so by the browser's choice. To do so based on content in a 403 response to CONNECT is unjustifiable. Displaying the original URI in the navigation bar is completely wrong as well. But instead of just saying "hang on a minute, this is a 403 from a CONNECT" and displaying in some safe mode, clearing the URL, no that was too much work, we'll just throw the whole thing away, who cares about users, they can run around in circles doing the suggestions we tell them which we know are false. Make sure the URL is valid search for it Check your connectivity I've had people who have spent hours checking cables, routers, ringing site operators etc to finally get to us and when we tell them what is going on, they are very far from impressed. But now I have 2 answers, MitM or Firefox. Cheers ------ Original Message ------ From: "Kari Hurtta" <hurtta-ietf@elmme-mailer.org> To: "HTTP working group mailing list" <ietf-http-wg@w3.org> Cc: "Adrien de Croy" <adrien@qbik.com>; "Kari Hurtta" <hurtta-ietf@elmme-mailer.org>; "Ryan Hamilton" <rch@google.com>; "HTTP working group mailing list" <ietf-http-wg@w3.org> Sent: 17/02/2017 5:52:45 PM Subject: Re: The future of forward proxy servers in an http/2 over TLS world >> But if the proxy can mint certs that are trusted by the browser, the >> question is how is that. The proxy would need to be using a signing >> cert that is trusted by the browser, and how did it get installed in >>the >> browser? > >If proxy CA certificate can be installed to browser, then it is also >possible >to install browser plugin to browser. > >That browser plugin can implement some kind sidechannel. > >But different browsers and OSes, cpus need all diffrent plugin. >Proxy CA certificate format does not change here. > >I see why that direction is selected. > >And network border (or proxy) need some way to verify plugin >is active and sidechannel is in use on many use scenario. >Otherwise may be even disabled accidentally on browser update. > >Hmm. One radical sidechannel is what tells symmectric encryption >key of TLS connection. I guess that this is not acceible for browser >plugin either. In that case proxy can verify that it have symmectric >encryption key for TLS connection. > > >Internet Content Adaptation Protocol (ICAP, RFC 3507) >can perhaps act as standardised sidechannel protocol, >but that does not look like practical and is is >not implemneted by browsers. Basically that means >that content is moved several times. And also >network border (or proxy) can not verify that sidechannel >is on use. > >/ Kari Hurtta > > >
- The future of forward proxy servers in an http/2 … Adrien de Croy
- Re: The future of forward proxy servers in an htt… Dave Dolson
- Re: The future of forward proxy servers in an htt… Adrien de Croy
- Re: The future of forward proxy servers in an htt… Poul-Henning Kamp
- Re: The future of forward proxy servers in an htt… Adrien de Croy
- Re: The future of forward proxy servers in an htt… Kari Hurtta
- Re: The future of forward proxy servers in an htt… Alex Rousskov
- Re: The future of forward proxy servers in an htt… Adrien de Croy
- Re: The future of forward proxy servers in an htt… Patrick McManus
- Re: The future of forward proxy servers in an htt… Adrien de Croy
- Re: The future of forward proxy servers in an htt… Patrick McManus
- Re: The future of forward proxy servers in an htt… Ryan Hamilton
- Re: The future of forward proxy servers in an htt… Adrien de Croy
- Re: The future of forward proxy servers in an htt… Adrien de Croy
- Re: The future of forward proxy servers in an htt… Adrien de Croy
- Re: The future of forward proxy servers in an htt… Adrien de Croy
- Re: The future of forward proxy servers in an htt… Patrick McManus
- RE: The future of forward proxy servers in an htt… Mike Bishop
- Re: The future of forward proxy servers in an htt… Adrien de Croy
- Re: The future of forward proxy servers in an htt… Alex Rousskov
- Re: The future of forward proxy servers in an htt… Adrien de Croy
- Re: The future of forward proxy servers in an htt… Adrien de Croy
- Re: The future of forward proxy servers in an htt… Adrien de Croy
- Re: The future of forward proxy servers in an htt… Kari Hurtta
- Re: The future of forward proxy servers in an htt… Alex Rousskov
- Re: The future of forward proxy servers in an htt… Tom Bergan
- Re: The future of forward proxy servers in an htt… Alex Rousskov
- Re: The future of forward proxy servers in an htt… Poul-Henning Kamp
- Re: The future of forward proxy servers in an htt… Kari Hurtta
- Re: The future of forward proxy servers in an htt… Tom Bergan
- Re: The future of forward proxy servers in an htt… Adrien de Croy
- Re: The future of forward proxy servers in an htt… Roland Zink
- Re: The future of forward proxy servers in an htt… Ryan Hamilton
- Re: The future of forward proxy servers in an htt… Amos Jeffries
- Re: The future of forward proxy servers in an htt… Adrien de Croy
- Re: The future of forward proxy servers in an htt… Kari Hurtta
- Re: The future of forward proxy servers in an htt… Adrien de Croy
- Re: The future of forward proxy servers in an htt… Kari Hurtta
- Re: The future of forward proxy servers in an htt… Willy Tarreau
- Re: The future of forward proxy servers in an htt… Tom Bergan
- Re: The future of forward proxy servers in an htt… Adrien de Croy
- Re: The future of forward proxy servers in an htt… nicolas.mailhot
- Re: The future of forward proxy servers in an htt… Francesco Chemolli
- Re: The future of forward proxy servers in an htt… Chris Bentzel
- Re: The future of forward proxy servers in an htt… Mark Nottingham
- Re: The future of forward proxy servers in an htt… Alex Rousskov
- Re: The future of forward proxy servers in an htt… Mark Nottingham
- Re: The future of forward proxy servers in an htt… Alex Rousskov
- Re: The future of forward proxy servers in an htt… Willy Tarreau
- Re: The future of forward proxy servers in an htt… Poul-Henning Kamp
- Re: The future of forward proxy servers in an htt… Patrick McManus
- Re: The future of forward proxy servers in an htt… Willy Tarreau
- Re: The future of forward proxy servers in an htt… Kari Hurtta
- Re: The future of forward proxy servers in an htt… Alex Rousskov
- Re: The future of forward proxy servers in an htt… Poul-Henning Kamp
- Re: The future of forward proxy servers in an htt… Roland Zink
- UI | Re: The future of forward proxy servers in a… Kari Hurtta
- Re: The future of forward proxy servers in an htt… Poul-Henning Kamp
- forward HTTPS proxy | Re: The future of forward p… Kari Hurtta
- RE: forward HTTPS proxy | Re: The future of forwa… Mike Bishop
- Re: forward HTTPS proxy | Re: The future of forwa… Alex Rousskov
- Re: forward HTTPS proxy | Re: The future of forwa… Kari Hurtta
- Re: forward HTTPS proxy | Re: The future of forwa… Kari Hurtta
- Re: forward HTTPS proxy | Re: The future of forwa… Kari Hurtta
- Re: The future of forward proxy servers in an htt… Adrien de Croy
- Re: The future of forward proxy servers in an htt… Tom Bergan