Re: [Int-area] New version of WPADNG
Josh Cohen <joshco@gmail.com> Thu, 18 July 2024 13:30 UTC
Received: by ietfa.amsl.com (Postfix) id D779DC1CAE86; Thu, 18 Jul 2024 06:30:53 -0700 (PDT)
Delivered-To: ietfarch-httpbisa-archive-bis2juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D6999C19ECB7 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 18 Jul 2024 06:30:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.856
X-Spam-Level:
X-Spam-Status: No, score=-2.856 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=w3.org header.b="W83nFbpt"; dkim=pass (2048-bit key) header.d=w3.org header.b="hTA/B4oc"; dkim=pass (2048-bit key) header.d=gmail.com header.b="FfLjxxoa"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xEcbKrzUgQI7 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 18 Jul 2024 06:30:50 -0700 (PDT)
Received: from mab.w3.org (mab.w3.org [IPv6:2600:1f18:7d7a:2700:d091:4b25:8566:8113]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CE38EC169428 for <httpbisa-archive-bis2Juki@ietf.org>; Thu, 18 Jul 2024 06:30:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=w3.org; s=s1; h=Subject:Content-Type:Cc:To:Message-ID:Date:From:In-Reply-To: References:MIME-Version:Reply-To; bh=nXEQheN/QN4XJHkVXob1aCDjygXI+s/yC82t4eNcsLI=; b=W83nFbptL92H2MxSfMBN1oZfIm slCjC/6/1QrNrWxJsvm037qorwemnf846BrwDY4SlajfY8a6zh6xAkUaNfUR5jWeNQ6n5w5d939p2 OKR28ErhylyCyPKApjzxHrqWpGgb4/XzeHcjRW6bRs+wV19OMeFyqeujhP2xDQQyQambrGiimw+wK 7kAsvJcpcq6hYUze93GmskL39+VPAvfIqWUgM78oQ8v/fDeZ7HNaCra4FO8HOmFDaN+lVvbAKFzdw fXexVF8cn7C7rNrvAKN2+vtM5Ul278dp6tAWJ5xaU3OUxvgBRMa3qxc6K16ZD09ES4mEyY/ChkdZa ntB4DT6Q==;
Received: from lists by mab.w3.org with local (Exim 4.96) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1sURCc-007Nyx-0d for ietf-http-wg-dist@listhub.w3.org; Thu, 18 Jul 2024 13:29:46 +0000
Resent-Date: Thu, 18 Jul 2024 13:29:46 +0000
Resent-Message-Id: <E1sURCc-007Nyx-0d@mab.w3.org>
Received: from ip-10-0-0-144.ec2.internal ([10.0.0.144] helo=pan.w3.org) by mab.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from <joshco@gmail.com>) id 1sURCZ-007Nxx-2M for ietf-http-wg@listhub.w3.internal; Thu, 18 Jul 2024 13:29:43 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=w3.org; s=s1; h=Content-Type:Cc:To:Subject:Message-ID:Date:From:In-Reply-To: References:MIME-Version:Reply-To; bh=nXEQheN/QN4XJHkVXob1aCDjygXI+s/yC82t4eNcsLI=; t=1721309383; x=1722173383; b=hTA/B4ocDWWNQeqTPX/DS+XVc9PPkNbLUlhEkrw6NDCwZSvS54P1WOFjPOYAcEbDlgGkIjRYJbv z5s0yrp/vZl+JjjQyjHMFmiHPP63HJcYydxTNbQagWvdPhk9bUtvCH3o18/DlXxMLtQjUq+7Fl0Tt 3khJMcsnycWzxfjOgIKHvDCYjxtGklO/zPfMYvBEa5r+h5o1bJBYBzwr6n7z555pq2DQeumqkkXLD AJ9r9T8pLtxcEmc+iJK8tDrxuzksWywQtAKQThy0D5jp7AxojRhhmVVWbuz60ZTkLH0cCw1ZXKUQe FZRSk/7KkdkFehwBRQ4YZTHqw5bdhNbxpaNg==;
Received-SPF: pass (pan.w3.org: domain of gmail.com designates 2607:f8b0:4864:20::c2a as permitted sender) client-ip=2607:f8b0:4864:20::c2a; envelope-from=joshco@gmail.com; helo=mail-oo1-xc2a.google.com;
Received: from mail-oo1-xc2a.google.com ([2607:f8b0:4864:20::c2a]) by pan.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from <joshco@gmail.com>) id 1sURCY-00A2fP-3B for ietf-http-wg@w3.org; Thu, 18 Jul 2024 13:29:43 +0000
Received: by mail-oo1-xc2a.google.com with SMTP id 006d021491bc7-5d4071e9b93so414074eaf.2 for <ietf-http-wg@w3.org>; Thu, 18 Jul 2024 06:29:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1721309379; x=1721914179; darn=w3.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=nXEQheN/QN4XJHkVXob1aCDjygXI+s/yC82t4eNcsLI=; b=FfLjxxoa4Ec2uiWrTcUYoMwIjxXT0HyBZB7dd5ZoyWa001lppSgcJHXjgx+9dGh42s 16tuS6QnCwsBeqaHCHFODiKIEkX8ILMckE2A6AHO3EDg5E/Rwxz06TmRDCOtchDUlXNj XoDanIdNHyk8aRYs5Mqzhk3Ab6GOj0ScpUQvoDyVOvHrTrjZkyaSB2ka1Y26J7eVU8bp nLC0lAxc/O+qxs08nguLBOnXh8cXO3WTHqrJ5/A96Woj/4MC8AXLt/0+9NTHQQG/yhs4 dnEP4kaebt2V+n9E4BvOPyXT6JdqavCY8/PI8zJc4Ojh9/36Ig4YQZwMbpiYe9U+9frp 5/dw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1721309379; x=1721914179; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=nXEQheN/QN4XJHkVXob1aCDjygXI+s/yC82t4eNcsLI=; b=wjoao7IUbusNc82oHdEuCyZKHL9cvKmDm6YCjkbILRPuasv2ipm4oJ4XhRszHS5B8e v9/ZlEKHjchVd5cuusyOwMlFiYSRerRpmqs/NyXX535kDO975pQnu0QCytjcFSlkXNdX AkwL+IZ8UQS+Xl3tmtFAuTIM9fnP8pKKzhcvwH0rLA/B6YLHnI15ciCp1phYxlbaqmCJ R3fWyd7vRevoRxwtFIofdP/7Jl4XSOycUz1ZsIW9nc6SYR/nAAeW/Z88IVWRrsHqnmKe ELLVpZH9k/mfmpG+vhhtsrgsy0zB2fCwPvEcxHN+oVLmcGkkaUGmhKbp0I8z2lLyT52l 3WLg==
X-Forwarded-Encrypted: i=1; AJvYcCUolHGiKWiTRpfIdDB6de2MurdhvjEN5UgYFkFRKB5L6lUUZZKlkYXhcEaafIZh2umjByu//ppiCsaa9NIkYpsUnUcp
X-Gm-Message-State: AOJu0Yxj22SAoTbXTlTgEY4pV14hDS8HKCbncgb16/sQFYbaMQCRGmiB CDwMGAV35+YpwKXLJRWqElvvUODu1OeBsVOcspwkvHY4Fx3ksBMYGVUL6LpuKNWDRmYbfZAI2qd x/p8IFkrABVVhTZTpP5qc/mIW6GU=
X-Google-Smtp-Source: AGHT+IGS2+28D2l3T/8JT4ou4NhvF5KAUQ+CN3/JLPshokq8ljNI79Snlq3BEJRVSsxmQlboo7MNNTwXc1i8V+dN4eI=
X-Received: by 2002:a05:6820:1e0f:b0:5cc:64e5:d002 with SMTP id 006d021491bc7-5d41c2158ffmr5636815eaf.8.1721309379191; Thu, 18 Jul 2024 06:29:39 -0700 (PDT)
MIME-Version: 1.0
References: <CAF3KT4QFxgNK=kLw_jZ06B85-3sUXqHmHQK03i-jWOZS-jCszw@mail.gmail.com> <CAPDSy+6ranR-120OMGzOGELLA=r2BxJdqLFmTXWqCA6-wm2uoQ@mail.gmail.com> <CAF3KT4SmCpBFZ-3VtnkaSBTSzRpBwOnBqsrft3RxVbq7MU09+Q@mail.gmail.com> <CACsn0cknrPEeacAkRv7LhywS6bWkYc+bEzfS8kMKLcJzY1Z55w@mail.gmail.com> <CAF3KT4Se2=TxChwcthnbAOnvOfd_ji7mUHCS4aS_UwJcTFgaLQ@mail.gmail.com> <CACsn0ckn1fgZ605hpnzpgsRopQqGZ7g0cwuSsfQSjC0jguRG6g@mail.gmail.com>
In-Reply-To: <CACsn0ckn1fgZ605hpnzpgsRopQqGZ7g0cwuSsfQSjC0jguRG6g@mail.gmail.com>
From: Josh Cohen <joshco@gmail.com>
Date: Thu, 18 Jul 2024 09:29:25 -0400
Message-ID: <CAF3KT4QYM+y+43LU3DNxX4S5LOGYe0SoLBZRhjOTVrM7X_RUdQ@mail.gmail.com>
To: Watson Ladd <watsonbladd@gmail.com>
Cc: David Schinazi <dschinazi.ietf@gmail.com>, int-area@ietf.org, ietf-http-wg@w3.org
Content-Type: multipart/alternative; boundary="000000000000186ed7061d85927a"
X-W3C-Hub-DKIM-Status: validation passed: (address=joshco@gmail.com domain=gmail.com), signature is good
X-W3C-Hub-Spam-Status: No, score=-6.1
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, DMARC_PASS=-0.001, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: pan.w3.org 1sURCY-00A2fP-3B 9c6787a8ea8ce66684e85565fe79e6a7
X-Original-To: ietf-http-wg@w3.org
Subject: Re: [Int-area] New version of WPADNG
Archived-At: <https://www.w3.org/mid/CAF3KT4QYM+y+43LU3DNxX4S5LOGYe0SoLBZRhjOTVrM7X_RUdQ@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/52084
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/email/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
On Wed, Jul 17, 2024 at 11:00 PM Watson Ladd <watsonbladd@gmail.com> wrote: > On Wed, Jul 17, 2024, 7:36 PM Josh Cohen <joshco@gmail.com> wrote: > > > > You lost me with the nuclear submarine reference. I'm guessing instead > of a terminal room, the IETF now has a navy? > > https://en.m.wikipedia.org/wiki/USS_Jimmy_Carter She wasn't made for > sitting around. > > > > > The coffee shop gives you your IP address, default route to the > Internet, DNS servers and other DHCP options. It often has a captive > portal, which may also have a transparent proxy that filters, can eavesdrop > or otherwise abuse you. It is *their* network after all, you are just a > guest. That's aside from chai latte sipping wifi snoopers and the general > jungle of public wifi. > > So what's WPAD doing here? It's just another way to get that traffic > to the wrong place. Again, the Internet threat model has the network > be untrusted. That might be bad news for the vendors of devices that > don't work that way, but that's what the RFC and design says. And > indeed the coffee shop router shouldn't be trusted. > > I am having dejavu. We had a similar debate 25 years ago. Proxy servers in general weren't exactly popular because they violate the end-to-end ethos. With respect to the network being untrusted, enterprises will push back on that. They will do things that seem draconian. > > > > > > I'm definitely getting the "WPAD suxorz" vibe, but what's missing are > answers to how scenarios WPAD currently addresses will be addressed without > it. > > > > At work, your computer uses your enterprise's proxy. When you arrive at > the coffeeshop, will you go into your computer's settings and turn off the > proxy? When you go back to work the next day, will you go back into your > settings and turn it on again? > > > I think this scenario is due to some fundamental confusion. What is > the enterprise proxy doing? Why is it safe to turn off that function > at the coffeeshop or entrust it to some random person given the > computer will be back on the network the next day? And if the > enterprise network needs to administer hosts, it can do that through > much better ways. > > I was assuming a situation where the enterprise proxy is not accessible from outside of the enterprise network. > > > > > > > > On Wed, Jul 17, 2024 at 7:50 PM Watson Ladd <watsonbladd@gmail.com> > wrote: > >> > >> One adversary is willing to devote an entire nuclear submarine to the > >> task. They are more than willing to use existing vulnerabilities in > >> ways that you never hear about because they are good at their jobs. > >> > >> If you use network links to configure your device, and the device goes > >> to the coffeeshop, that coffeeshop gets to configure the device. > >> That's just inherently a bad idea, and always has been. > >> > >> Sincerely, > >> Watson Ladd > >> > >> -- > >> Astra mortemque praestare gradatim > > > > > > > > -- > > > > --- > > Josh Cohen > -- --- *Josh Co*hen
- New version of WPADNG Josh Cohen
- Re: [Int-area] New version of WPADNG David Schinazi
- Re: [Int-area] New version of WPADNG Josh Cohen
- Re: [Int-area] New version of WPADNG Watson Ladd
- Re: [Int-area] New version of WPADNG Josh Cohen
- Re: [Int-area] New version of WPADNG Tommy Pauly
- Re: [Int-area] New version of WPADNG Watson Ladd
- Re: [Int-area] New version of WPADNG Josh Cohen
- Re: [Int-area] New version of WPADNG Josh Cohen
- Re: [Int-area] New version of WPADNG Ben Schwartz