IETF Logo Mail Archive

Re: The future of forward proxy servers in an http/2 over TLS world

"Adrien de Croy" <adrien@qbik.com> Wed, 15 February 2017 20:14 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1949C129B33 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 15 Feb 2017 12:14:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4X0J13jVTYMp for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 15 Feb 2017 12:14:19 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E963F129AA0 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Wed, 15 Feb 2017 12:14:18 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1ce5wK-00045h-Pf for ietf-http-wg-dist@listhub.w3.org; Wed, 15 Feb 2017 20:12:36 +0000
Resent-Date: Wed, 15 Feb 2017 20:12:36 +0000
Resent-Message-Id: <E1ce5wK-00045h-Pf@frink.w3.org>
Received: from mimas.w3.org ([128.30.52.79]) by frink.w3.org with esmtps (TLS1.2:RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <adrien@qbik.com>) id 1ce5wG-00044w-Ge for ietf-http-wg@listhub.w3.org; Wed, 15 Feb 2017 20:12:32 +0000
Received: from smtp.qbik.com ([122.56.26.1]) by mimas.w3.org with esmtps (TLS1.2:ECDHE_RSA_ARCFOUR_128_SHA1:128) (Exim 4.84_2) (envelope-from <adrien@qbik.com>) id 1ce5w6-0004Yf-Op for ietf-http-wg@w3.org; Wed, 15 Feb 2017 20:12:26 +0000
Received: From [192.168.1.146] (unverified [192.168.1.146]) by SMTP Server [192.168.1.3] (WinGate SMTP Receiver v9.0.4 (Build 5915)) with SMTP id <0000965370@smtp.qbik.com>; Thu, 16 Feb 2017 09:11:52 +1300
From: Adrien de Croy <adrien@qbik.com>
To: Patrick McManus <mcmanus@ducksong.com>
Cc: Kari Hurtta <hurtta-ietf@elmme-mailer.org>, HTTP working group mailing list <ietf-http-wg@w3.org>
Date: Wed, 15 Feb 2017 20:11:52 +0000
Message-Id: <emcb751fb1-f781-46c5-b888-0af8b1c2af7f@bodybag>
In-Reply-To: <CAOdDvNpR5i4xu9viAXD2ioG5W096xAHz4EHzByQL8ZN4FO-sTg@mail.gmail.com>
References: <emde1bfa93-84c0-49f7-83a4-b9bed24e0276@bodybag> <20170215193126.C090E1F063@welho-filter1.welho.com> <embaebd293-2d9d-4e45-9048-2763e892ceb0@bodybag> <CAOdDvNpR5i4xu9viAXD2ioG5W096xAHz4EHzByQL8ZN4FO-sTg@mail.gmail.com>
Reply-To: Adrien de Croy <adrien@qbik.com>
User-Agent: eM_Client/7.0.27943.0
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="------=_MB57B7EFED-6B7F-4658-8DB7-8ACE82C3FA89"
Received-SPF: pass client-ip=122.56.26.1; envelope-from=adrien@qbik.com; helo=smtp.qbik.com
X-W3C-Hub-Spam-Status: No, score=-4.7
X-W3C-Hub-Spam-Report: AWL=-0.785, BAYES_00=-1.9, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1ce5w6-0004Yf-Op 3548f651ad89a2f327fc214283530f67
X-Original-To: ietf-http-wg@w3.org
Subject: Re: The future of forward proxy servers in an http/2 over TLS world
Archived-At: <http://www.w3.org/mid/emcb751fb1-f781-46c5-b888-0af8b1c2af7f@bodybag>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/33529
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

yes, that's what caused the problem in the first place, and until we 
trust the proxy I don't think we'll move on from there.

Which means the connection to the proxy needs to be TLS.

We already support this with WinGate and I've verified it with Chrome 
and Firefox.  In that case couldn't the client trust an error response 
body from CONNECT?

Adrien


------ Original Message ------
From: "Patrick McManus" <mcmanus@ducksong.com>
To: "Adrien de Croy" <adrien@qbik.com>
Cc: "Kari Hurtta" <hurtta-ietf@elmme-mailer.org>; "HTTP working group 
mailing list" <ietf-http-wg@w3.org>
Sent: 16/02/2017 9:08:16 AM
Subject: Re: The future of forward proxy servers in an http/2 over TLS 
world

>there is no firefox support for that right now. It would require a 
>convincing UI and probably interest from another client to proceed 
>with. The concern is obviously some kind of phish mitm any time you are 
>asked to display https and you display anything not authenticated by 
>that origin.
>
>
>On Wed, Feb 15, 2017 at 3:02 PM, Adrien de Croy <adrien@qbik.com> 
>wrote:
>>
>>Thanks for that
>>
>>looks like I already knew about it lol.
>>
>>Do we have any idea about whether this has browser support, I assume 
>>FF so far only?
>>
>>Adrien
>>
>>
>>------ Original Message ------
>>From: "Kari Hurtta" <hurtta-ietf@elmme-mailer.org>
>>To: "Adrien de Croy" <adrien@qbik.com>
>>Cc: "HTTP working group mailing list" <ietf-http-wg@w3.org>; "Kari 
>>Hurtta" <hurtta-ietf@elmme-mailer.org>
>>Sent: 16/02/2017 8:31:25 AM
>>Subject: Re: The future of forward proxy servers in an http/2 over TLS 
>>world
>>
>>>>  This means we have a need to be able to respond to CONNECT with a
>>>>  denial, and some kind of message that can be displayed to the user.
>>>
>>>Maybe
>>>
>>>https://tools.ietf.org/id/draft-nottingham-proxy-explanation-00.txt 
>>><https://tools.ietf.org/id/draft-nottingham-proxy-explanation-00.txt>
>>>
>>>
>>>https://lists.w3.org/Archives/Public/ietf-http-wg/2016JulSep/0390.html 
>>><https://lists.w3.org/Archives/Public/ietf-http-wg/2016JulSep/0390.html>
>>>
>>>https://bugzilla.mozilla.org/show_bug.cgi?id=637619#c31 
>>><https://bugzilla.mozilla.org/show_bug.cgi?id=637619#c31>
>>>
>>>https://lists.w3.org/Archives/Public/ietf-http-wg/2016JulSep/0419.html 
>>><https://lists.w3.org/Archives/Public/ietf-http-wg/2016JulSep/0419.html>
>>>
>>>/ Kari Hurtta
>>>
>>
>>
>

v2.23.0 | Report a Bug | By Email