Re: The future of forward proxy servers in an http/2 over TLS world

Tom Bergan <tombergan@chromium.org> Fri, 17 February 2017 06:53 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C794C1293F0 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 16 Feb 2017 22:53:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.5
X-Spam-Level:
X-Spam-Status: No, score=-6.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_SORBS_SPAM=0.5, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LPR-mSky83aK for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 16 Feb 2017 22:53:17 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 53B84128874 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Thu, 16 Feb 2017 22:53:17 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1cecNv-00059v-KG for ietf-http-wg-dist@listhub.w3.org; Fri, 17 Feb 2017 06:51:15 +0000
Resent-Date: Fri, 17 Feb 2017 06:51:15 +0000
Resent-Message-Id: <E1cecNv-00059v-KG@frink.w3.org>
Received: from titan.w3.org ([128.30.52.76]) by frink.w3.org with esmtps (TLS1.2:RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <tombergan@chromium.org>) id 1cecNq-00053L-Ny for ietf-http-wg@listhub.w3.org; Fri, 17 Feb 2017 06:51:10 +0000
Received: from mail-wm0-f42.google.com ([74.125.82.42]) by titan.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from <tombergan@chromium.org>) id 1cecNk-0007kQ-3p for ietf-http-wg@w3.org; Fri, 17 Feb 2017 06:51:05 +0000
Received: by mail-wm0-f42.google.com with SMTP id c85so5772867wmi.1 for <ietf-http-wg@w3.org>; Thu, 16 Feb 2017 22:50:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=TYBrupyqP4w6MN+c3gA/I/K+s9q31QJWhM1t4rFdv+c=; b=HOCjUhh4w/IUPBtnYae5dxI+2nWli3BMJ37vd1IV72jdkH7ix5OlkaRxCfFCAbxtGy KPlVuEckQD+sX2Kofv8IIsr24U+qwUWbHnQw+MaTlkF0O9fE0+2vcPvjZjFnyGLw1sAd eN8xfq2xL5jtB/V9ZwMEh11W1py8YboAF+RRA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=TYBrupyqP4w6MN+c3gA/I/K+s9q31QJWhM1t4rFdv+c=; b=KFASgcDUmIQlC97mKUutlPn8PAWcjff7hwTCS5HTt/DQWRtavAIGxpgBzSB4lLhWON uqsqsAZwvgebOPMr8EQ/d0TYpwnaD/ajnCQZ5MVB8rQeTtCm5jphhQ+GE3Z/LqNutIWN OSCh6NDTA4gym1dYbU6Z7hvWUfKWUHc0TeGoo7KH5j2LrbJ24nimecdQgwGuMeMmaulg FUnD4hiqP7R62H7ymRL8hXnZIjU+T51eAxYaHyRZdmSrDO8KkAl8xOhTMO3qjUJZ8VNp klRvkgaClIO4HOavDtA3hDRXel0MPZChSvEGFQSoUHOfIU7SJ5Cgjbpf3jUaG5qzdo2t 7iyg==
X-Gm-Message-State: AMke39nqgt6NugsvSo3ibaTsYDMQc5/Z8hMeQfjVr5ggX7QA/o708u2terCHyhuM16eywjyT
X-Received: by 10.28.5.72 with SMTP id 69mr789205wmf.6.1487314237464; Thu, 16 Feb 2017 22:50:37 -0800 (PST)
Received: from mail-wr0-f171.google.com (mail-wr0-f171.google.com. [209.85.128.171]) by smtp.gmail.com with ESMTPSA id g6sm464644wmc.30.2017.02.16.22.50.36 for <ietf-http-wg@w3.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 16 Feb 2017 22:50:36 -0800 (PST)
Received: by mail-wr0-f171.google.com with SMTP id z61so24446240wrc.1 for <ietf-http-wg@w3.org>; Thu, 16 Feb 2017 22:50:36 -0800 (PST)
X-Received: by 10.223.136.123 with SMTP id e56mr5214827wre.28.1487314236428; Thu, 16 Feb 2017 22:50:36 -0800 (PST)
MIME-Version: 1.0
Received: by 10.28.135.201 with HTTP; Thu, 16 Feb 2017 22:50:35 -0800 (PST)
In-Reply-To: <emc8dbe08a-a3c7-4107-9839-4eef8db65d47@bodybag>
References: <em2b16b855-c719-422a-9488-6c34893e2432@bodybag> <20170217045246.798E51B04D@welho-filter2.welho.com> <emc8dbe08a-a3c7-4107-9839-4eef8db65d47@bodybag>
From: Tom Bergan <tombergan@chromium.org>
Date: Thu, 16 Feb 2017 22:50:35 -0800
X-Gmail-Original-Message-ID: <CA+3+x5G1fHcP9TzSh-NdKH7nFCYpH-Q07kO4TBD0tjWHJoUXNg@mail.gmail.com>
Message-ID: <CA+3+x5G1fHcP9TzSh-NdKH7nFCYpH-Q07kO4TBD0tjWHJoUXNg@mail.gmail.com>
To: Adrien de Croy <adrien@qbik.com>
Cc: Kari Hurtta <hurtta-ietf@elmme-mailer.org>, HTTP working group mailing list <ietf-http-wg@w3.org>, Ryan Hamilton <rch@google.com>
Content-Type: multipart/alternative; boundary="001a11498702bb9c540548b45474"
Received-SPF: pass client-ip=74.125.82.42; envelope-from=tombergan@chromium.org; helo=mail-wm0-f42.google.com
X-W3C-Hub-Spam-Status: No, score=-4.9
X-W3C-Hub-Spam-Report: AWL=-1.351, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_SORBS_SPAM=0.5, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: titan.w3.org 1cecNk-0007kQ-3p a92c01a9c30b3e797a3c380bcb7e9d9d
X-Original-To: ietf-http-wg@w3.org
Subject: Re: The future of forward proxy servers in an http/2 over TLS world
Archived-At: <http://www.w3.org/mid/CA+3+x5G1fHcP9TzSh-NdKH7nFCYpH-Q07kO4TBD0tjWHJoUXNg@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/33569
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Ok, thanks, it took me a while to parse what you're talking about. You
started by talking about TLS, HSTS, and PKP, and I thought you were talking
about the challenges of MITM-ing a connection. Moving blocking logic to a
side-channel removes the need to MITM.

Now it sounds like you just want to show custom error messages for rejected
CONNECT requests. Ryan can speak to Chrome's policy on this better than me.

[sorry for the dup, replied from the wrong address]

On Thu, Feb 16, 2017 at 9:05 PM, Adrien de Croy <adrien@qbik.com> wrote:

>
> I fail to see what a side-channel would even add in this case.
>
> There's already communication between the client and the proxy.  It's the
> CONNECT request message and its response.
>
> It was the abandonment of that response in non-200 cases that led to the
> need to deploy MitM.
>
> It was deemed easier to just do this, rather than code a browser to not
> follow a 30x response to CONNECT or to not display working forms from 403
> response bodies to CONNECT requests.
>
> The phishing argument gets wheeled out every time, but it doesn't hold
> water for a second.
>
> A browser displaying a form and performing its action does so by the
> browser's choice.  To do so based on content in a 403 response to CONNECT
> is unjustifiable.  Displaying the original URI in the navigation bar is
> completely wrong as well.
>
> But instead of just saying "hang on a minute, this is a 403 from a
> CONNECT" and displaying in some safe mode, clearing the URL, no that was
> too much work, we'll just throw the whole thing away, who cares about
> users, they can run around in circles doing the suggestions we tell them
> which we know are false.
>
> Make sure the URL is valid
> search for it
> Check your connectivity
>
> I've had people who have spent hours checking cables, routers, ringing
> site operators etc to finally get to us and when we tell them what is going
> on, they are very far from impressed.
>
> But now I have 2 answers, MitM or Firefox.
>
> Cheers
>
>
> ------ Original Message ------
> From: "Kari Hurtta" <hurtta-ietf@elmme-mailer.org>
> To: "HTTP working group mailing list" <ietf-http-wg@w3.org>
> Cc: "Adrien de Croy" <adrien@qbik.com>; "Kari Hurtta" <
> hurtta-ietf@elmme-mailer.org>; "Ryan Hamilton" <rch@google.com>; "HTTP
> working group mailing list" <ietf-http-wg@w3.org>
> Sent: 17/02/2017 5:52:45 PM
> Subject: Re: The future of forward proxy servers in an http/2 over TLS
> world
>
>  But if the proxy can mint certs that are trusted by the browser, the
>>>  question is how is that.  The proxy would need to be using a signing
>>>  cert that is trusted by the browser, and how did it get installed in the
>>>  browser?
>>>
>>
>> If proxy CA certificate can be installed to browser, then it is also
>> possible
>> to install browser plugin to browser.
>>
>> That browser plugin can implement some kind sidechannel.
>>
>> But different browsers and OSes, cpus need all diffrent plugin.
>> Proxy CA certificate format does not change here.
>>
>> I see why that direction is selected.
>>
>> And network border (or proxy) need some way to verify plugin
>> is active and sidechannel is in use on many use scenario.
>> Otherwise may be even disabled accidentally on browser update.
>>
>> Hmm. One radical sidechannel is what tells symmectric encryption
>> key of TLS connection. I guess that this is not acceible for browser
>> plugin either. In that case proxy can verify that it have symmectric
>> encryption key for TLS connection.
>>
>>
>> Internet Content Adaptation Protocol (ICAP, RFC 3507)
>> can perhaps act as standardised sidechannel protocol,
>> but that does not look like practical and is is
>> not implemneted by browsers. Basically that means
>> that content is moved several times. And also
>> network border (or proxy) can not verify that sidechannel
>> is on use.
>>
>> / Kari Hurtta
>>
>>
>>
>>
>
>