Re: The future of forward proxy servers in an http/2 over TLS world
"Adrien de Croy" <adrien@qbik.com> Fri, 17 February 2017 04:51 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 827501296C4 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 16 Feb 2017 20:51:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EG8idhHjFMXn for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 16 Feb 2017 20:51:03 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F052712957D for <httpbisa-archive-bis2Juki@lists.ietf.org>; Thu, 16 Feb 2017 20:51:02 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1ceaT5-0004iU-SH for ietf-http-wg-dist@listhub.w3.org; Fri, 17 Feb 2017 04:48:27 +0000
Resent-Date: Fri, 17 Feb 2017 04:48:27 +0000
Resent-Message-Id: <E1ceaT5-0004iU-SH@frink.w3.org>
Received: from mimas.w3.org ([128.30.52.79]) by frink.w3.org with esmtps (TLS1.2:RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <adrien@qbik.com>) id 1ceaSz-0004gf-I8 for ietf-http-wg@listhub.w3.org; Fri, 17 Feb 2017 04:48:21 +0000
Received: from smtp.qbik.com ([122.56.26.1]) by mimas.w3.org with esmtps (TLS1.2:ECDHE_RSA_ARCFOUR_128_SHA1:128) (Exim 4.84_2) (envelope-from <adrien@qbik.com>) id 1ceaSr-0007mh-W0 for ietf-http-wg@w3.org; Fri, 17 Feb 2017 04:48:15 +0000
Received: From [192.168.1.146] (unverified [192.168.1.146]) by SMTP Server [192.168.1.3] (WinGate SMTP Receiver v9.0.4 (Build 5915)) with SMTP id <0000966753@smtp.qbik.com>; Fri, 17 Feb 2017 17:47:43 +1300
From: Adrien de Croy <adrien@qbik.com>
To: Ryan Hamilton <rch@google.com>
Cc: Tom Bergan <tombergan@chromium.org>, Alex Rousskov <rousskov@measurement-factory.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Date: Fri, 17 Feb 2017 04:47:43 +0000
Message-Id: <emf5ba02d6-f342-4428-bb32-2dfb394862f0@bodybag>
In-Reply-To: <CAJ_4DfS2-_p7A5gEgVXKj-3i_2PJZPpEw7HRuD3V6FLbWVet_w@mail.gmail.com>
References: <emde1bfa93-84c0-49f7-83a4-b9bed24e0276@bodybag> <CA+3+x5GV9MdYOP3gHLABe+=GVVKf7ugbMWHquuzVHGCbwY-s5w@mail.gmail.com> <6ff3c0ab-0e67-c175-194e-dbd8fbb55788@measurement-factory.com> <CA+3+x5HfMLgOyU+dONxMFi82OmC5EybrqmyVRRCi3nmw3PEJkQ@mail.gmail.com> <em3cc9489c-e2f3-43bc-b467-234845d53cd4@bodybag> <CAJ_4DfS2-_p7A5gEgVXKj-3i_2PJZPpEw7HRuD3V6FLbWVet_w@mail.gmail.com>
Reply-To: Adrien de Croy <adrien@qbik.com>
User-Agent: eM_Client/7.0.27943.0
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="------=_MB23DBB2C2-DD6F-49EA-AF11-8AA2CB374D46"
Received-SPF: pass client-ip=122.56.26.1; envelope-from=adrien@qbik.com; helo=smtp.qbik.com
X-W3C-Hub-Spam-Status: No, score=-4.6
X-W3C-Hub-Spam-Report: AWL=-0.689, BAYES_00=-1.9, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1ceaSr-0007mh-W0 f16d775162ba4d53dfd8b3877b48a9b2
X-Original-To: ietf-http-wg@w3.org
Subject: Re: The future of forward proxy servers in an http/2 over TLS world
Archived-At: <http://www.w3.org/mid/emf5ba02d6-f342-4428-bb32-2dfb394862f0@bodybag>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/33564
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
------ Original Message ------ From: "Ryan Hamilton" <rch@google.com> >On Thu, Feb 16, 2017 at 12:35 PM, Adrien de Croy <adrien@qbik.com> >wrote: >> >>Hi Tom >> >>the predominant use-cases are as follows. >> >>1. A corporation, with many employees with computers and internet >>access. The employer doesn't want the employees spending all day on >>facebook, youtube, or other sites, unless it's the customer-support / >>social media department. >> >>2. A school which doesn't want students surfing porn > obviously there are many other use cases as well. > >>In all these cases, you have the issue of many computers, and a single >>policy. To block in the browser requires several things, a >>centralised management of the policy, disseminated to the browserm >>some way of securing this so the users don't disable it etc. > >Many browsers provide enterprise management functionality for exactly >this sort of use case. yes, but most deployment situations involve many different platforms and browsers. The proxy solution works for all, does not suffer from version hell with incompatible browser updates etc. > >>If on the other hand you intercept outbound connections, and force >>them through a proxy, or require use of a proxy for internet access, >>you can enforce the policy in a place that's removed from the users. >> >>Other features like a shared cache, AV scanning etc are also commonly >>used. >> >>Also, there are products that provide categorization of sites. If you >>wanted to allow all sites except porn sites, and to block that in a >>browser, you would need to know what all the porn sites are. >> >>There are products that track this, but they are expensive, have a >>large resource footprint etc. You can't be running this on every >>endpoint. >> >>So central control is required, and this is a proxy. > >Many enterprises go this route of using a proxy that mints >certificates and MITMs the connection to enforce policy. > They do, but I'm not even talking about this. The question was about whether control should be in the UA or a proxy. If I look back over the last couple of years, all the time we have recommended using MitM to customers is for dealing with this specific issue. No other issue. They aren't by and large asking us how do we cache https sites, they are asking us how can we show proper block pages for https sites. Adrien >
- The future of forward proxy servers in an http/2 … Adrien de Croy
- Re: The future of forward proxy servers in an htt… Dave Dolson
- Re: The future of forward proxy servers in an htt… Adrien de Croy
- Re: The future of forward proxy servers in an htt… Poul-Henning Kamp
- Re: The future of forward proxy servers in an htt… Adrien de Croy
- Re: The future of forward proxy servers in an htt… Kari Hurtta
- Re: The future of forward proxy servers in an htt… Alex Rousskov
- Re: The future of forward proxy servers in an htt… Adrien de Croy
- Re: The future of forward proxy servers in an htt… Patrick McManus
- Re: The future of forward proxy servers in an htt… Adrien de Croy
- Re: The future of forward proxy servers in an htt… Patrick McManus
- Re: The future of forward proxy servers in an htt… Ryan Hamilton
- Re: The future of forward proxy servers in an htt… Adrien de Croy
- Re: The future of forward proxy servers in an htt… Adrien de Croy
- Re: The future of forward proxy servers in an htt… Adrien de Croy
- Re: The future of forward proxy servers in an htt… Adrien de Croy
- Re: The future of forward proxy servers in an htt… Patrick McManus
- RE: The future of forward proxy servers in an htt… Mike Bishop
- Re: The future of forward proxy servers in an htt… Adrien de Croy
- Re: The future of forward proxy servers in an htt… Alex Rousskov
- Re: The future of forward proxy servers in an htt… Adrien de Croy
- Re: The future of forward proxy servers in an htt… Adrien de Croy
- Re: The future of forward proxy servers in an htt… Adrien de Croy
- Re: The future of forward proxy servers in an htt… Kari Hurtta
- Re: The future of forward proxy servers in an htt… Alex Rousskov
- Re: The future of forward proxy servers in an htt… Tom Bergan
- Re: The future of forward proxy servers in an htt… Alex Rousskov
- Re: The future of forward proxy servers in an htt… Poul-Henning Kamp
- Re: The future of forward proxy servers in an htt… Kari Hurtta
- Re: The future of forward proxy servers in an htt… Tom Bergan
- Re: The future of forward proxy servers in an htt… Adrien de Croy
- Re: The future of forward proxy servers in an htt… Roland Zink
- Re: The future of forward proxy servers in an htt… Ryan Hamilton
- Re: The future of forward proxy servers in an htt… Amos Jeffries
- Re: The future of forward proxy servers in an htt… Adrien de Croy
- Re: The future of forward proxy servers in an htt… Kari Hurtta
- Re: The future of forward proxy servers in an htt… Adrien de Croy
- Re: The future of forward proxy servers in an htt… Kari Hurtta
- Re: The future of forward proxy servers in an htt… Willy Tarreau
- Re: The future of forward proxy servers in an htt… Tom Bergan
- Re: The future of forward proxy servers in an htt… Adrien de Croy
- Re: The future of forward proxy servers in an htt… nicolas.mailhot
- Re: The future of forward proxy servers in an htt… Francesco Chemolli
- Re: The future of forward proxy servers in an htt… Chris Bentzel
- Re: The future of forward proxy servers in an htt… Mark Nottingham
- Re: The future of forward proxy servers in an htt… Alex Rousskov
- Re: The future of forward proxy servers in an htt… Mark Nottingham
- Re: The future of forward proxy servers in an htt… Alex Rousskov
- Re: The future of forward proxy servers in an htt… Willy Tarreau
- Re: The future of forward proxy servers in an htt… Poul-Henning Kamp
- Re: The future of forward proxy servers in an htt… Patrick McManus
- Re: The future of forward proxy servers in an htt… Willy Tarreau
- Re: The future of forward proxy servers in an htt… Kari Hurtta
- Re: The future of forward proxy servers in an htt… Alex Rousskov
- Re: The future of forward proxy servers in an htt… Poul-Henning Kamp
- Re: The future of forward proxy servers in an htt… Roland Zink
- UI | Re: The future of forward proxy servers in a… Kari Hurtta
- Re: The future of forward proxy servers in an htt… Poul-Henning Kamp
- forward HTTPS proxy | Re: The future of forward p… Kari Hurtta
- RE: forward HTTPS proxy | Re: The future of forwa… Mike Bishop
- Re: forward HTTPS proxy | Re: The future of forwa… Alex Rousskov
- Re: forward HTTPS proxy | Re: The future of forwa… Kari Hurtta
- Re: forward HTTPS proxy | Re: The future of forwa… Kari Hurtta
- Re: forward HTTPS proxy | Re: The future of forwa… Kari Hurtta
- Re: The future of forward proxy servers in an htt… Adrien de Croy
- Re: The future of forward proxy servers in an htt… Tom Bergan