Re: new draft trusted-proxy20-00
Peter Lepeska <bizzbyster@gmail.com> Wed, 15 January 2014 22:49 UTC
Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D7A21AE439 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 15 Jan 2014 14:49:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.54
X-Spam-Level:
X-Spam-Status: No, score=-7.54 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.538, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BREYv3Lix7oZ for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 15 Jan 2014 14:49:41 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id E46311AE430 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Wed, 15 Jan 2014 14:49:40 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1W3ZG3-0008NG-4e for ietf-http-wg-dist@listhub.w3.org; Wed, 15 Jan 2014 22:48:23 +0000
Resent-Date: Wed, 15 Jan 2014 22:48:23 +0000
Resent-Message-Id: <E1W3ZG3-0008NG-4e@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <bizzbyster@gmail.com>) id 1W3ZFx-0008MK-0v for ietf-http-wg@listhub.w3.org; Wed, 15 Jan 2014 22:48:17 +0000
Received: from mail-ve0-f175.google.com ([209.85.128.175]) by maggie.w3.org with esmtps (TLS1.0:RSA_ARCFOUR_SHA1:16) (Exim 4.72) (envelope-from <bizzbyster@gmail.com>) id 1W3ZFv-0008Sy-HA for ietf-http-wg@w3.org; Wed, 15 Jan 2014 22:48:16 +0000
Received: by mail-ve0-f175.google.com with SMTP id jx11so668267veb.6 for <ietf-http-wg@w3.org>; Wed, 15 Jan 2014 14:47:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=5cbg7+9t0M8lT57xNtlsvBSPHK869dHnazKjCovZh7U=; b=eUWYesW+o0xVVaFPoaIFV9TrK1mMT2uYF+uvIIu2pabKYtMU48CuisjG0d2Z9XkCxa N8feROpT3LHyePB16vChUqcGlzmuuKyJkPQjfc4Sp7WiPP7yXIhuj3V0Za6x2RegOtbr ropT5LGaDSFxkf4ZNNHa2+jAt7xHh0uOTVb9U9OqzDdt+RXHqtxu5av+XR2UGMbROhG4 46zuqnAVK/wCV3KskpHTeK4En4rLcHa6YiztuQJmrfj8rcrOUAnEK+C4Bf1c58mKyiUt +OHV7UX/eq2BBmjLdw+PdmO7s7yD/KVmPmqfSCsKevAhDteA4RzAPHK0un/b5ezt7bo0 9KSQ==
MIME-Version: 1.0
X-Received: by 10.220.159.4 with SMTP id h4mr3504189vcx.1.1389826069333; Wed, 15 Jan 2014 14:47:49 -0800 (PST)
Received: by 10.58.155.232 with HTTP; Wed, 15 Jan 2014 14:47:49 -0800 (PST)
In-Reply-To: <eme32fa5b9-bfa9-45e5-a17f-65c266de05af@bodybag>
References: <CANmPAYGqMMOQgMw2V3A66txr7Yu=won9NHSxu-LYxhcTp+f2Dw@mail.gmail.com> <eme32fa5b9-bfa9-45e5-a17f-65c266de05af@bodybag>
Date: Wed, 15 Jan 2014 17:47:49 -0500
Message-ID: <CANmPAYGTdngRpFcjXr-m0v9cJfU9ZNdHn2u6CXY-oGfy5dP_pw@mail.gmail.com>
From: Peter Lepeska <bizzbyster@gmail.com>
To: Adrien de Croy <adrien@qbik.com>
Cc: Yoav Nir <synp71@live.com>, Salvatore Loreto <salvatore.loreto@ericsson.com>, HTTP Working Group <ietf-http-wg@w3.org>, Robert Skog <robert.skog@ericsson.com>, Hans Spaak <hans.spaak@ericsson.com>, John Mattsson <john.mattsson@ericsson.com>
Content-Type: text/plain; charset="ISO-8859-1"
Received-SPF: pass client-ip=209.85.128.175; envelope-from=bizzbyster@gmail.com; helo=mail-ve0-f175.google.com
X-W3C-Hub-Spam-Status: No, score=-3.5
X-W3C-Hub-Spam-Report: AWL=-2.654, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001
X-W3C-Scan-Sig: maggie.w3.org 1W3ZFv-0008Sy-HA dc4ba1c6dd1695e02b8e63d9a23255c5
X-Original-To: ietf-http-wg@w3.org
Subject: Re: new draft trusted-proxy20-00
Archived-At: <http://www.w3.org/mid/CANmPAYGTdngRpFcjXr-m0v9cJfU9ZNdHn2u6CXY-oGfy5dP_pw@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/21816
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Okay. In your case #2, maybe the second ClientHello will need a flag that says "I know you are there proxy but I don't want use you" so that distinguishing between the first and second type of ClientHello is straightforward. Peter On Wed, Jan 15, 2014 at 4:34 PM, Adrien de Croy <adrien@qbik.com> wrote: > > What I would expect in this mechanism, is that you wouldn't get the Client > Hello blocked unless the proxy was asserting that it must be used. > > Otherwise you'd need 2 different types of response - 1 "you must use me", or > 2 "you can try again and I won't block it next time honest" > > In case 1, the user gets to choose between > > 1. I will trust the proxy; or > 2. I will not use the internet > > which is a perfectly reasonable choice IMO. Just like the EULA page on many > a software installer. > > Cheers > > Adrien > > > ------ Original Message ------ > From: "Peter Lepeska" <bizzbyster@gmail.com> > To: "Yoav Nir" <synp71@live.com> > Cc: "Salvatore Loreto" <salvatore.loreto@ericsson.com>; "HTTP Working Group" > <ietf-http-wg@w3.org>; "Robert Skog" <robert.skog@ericsson.com>; "Hans > Spaak" <hans.spaak@ericsson.com>; "John Mattsson" > <john.mattsson@ericsson.com> > Sent: 16/01/2014 07:31:03 > Subject: Re: new draft trusted-proxy20-00 > >> More questions: >> >> "The proxy intercept and does not forward the ClientHello message, >> instead it returns a signed error message ("Here be proxies") >> containing a certificate identifying the proxy. " >> >> What happens if the client decides that it does not trust the proxy? >> Does it send a new ClientHello that the proxy forwards? How does the >> proxy distinguish between the first ClientHello that it does not >> forward and the second ClientHello that it does forward? >> >> Or, on the other hand, is trusting the proxy required to use the >> network in the use case for this new mechanism? >> >> Thanks, >> >> Peter >> >> >> >> But taking a step back, it seems like you are proposing a way for a >> proxy to advertise its presence for HTTPS connections. D >> >> On Mon, Jan 13, 2014 at 9:55 AM, Yoav Nir <synp71@live.com> wrote: >>> >>> Hi, Salvatore >>> >>> Thanks for writing this. A few comments: >>> >>> Section 3.1 has the HTTP proxy indicate its presence by intercepting the >>> ClientHello and returning an error. There are some issue here: >>> >>> * An explicit proxy does not have to be on the data path, and in fact >>> it usually isn't. While MitM proxies have to intercept, clients open >>> connections to explicit proxies, so they're likely to reside in a >>> data-center (sometimes even in the cloud). Blocking HTTP(S) falls to >>> a network firewall. In other words, a MitM proxy usually needs to be >>> co-located with the firewall, but not so for an explicit proxy. >>> * I don't get how the firewall is supposed to redirect the client to >>> the proxy. The third paragraph says "The error could for e.g. be >>> sent using the TLS Alert protocol, but this requires registration of >>> a new error type." I didn't understand whether this is what you are >>> recommending (at least for this solution) or whether there are other >>> options. It should be noted that in order for the firewall to be >>> able to send TLS alerts, it has to MitM at least TCP, as the browser >>> thinks it is opening a connection with the server. If we were >>> specifying the Internet from scratch, we could define an ICMP >>> message that can be sent to the browser in response to the TCP-SYN >>> packet. I'm not sure how well that would work, and whether the >>> operating systems that we're using even have APIs to tell the >>> application what the content of the ICMP was, so I guess we're stuck >>> with firewalls impersonating servers at the TCP layer. >>> >>> Section 4.1 describes tunneling by using the HTTP CONNECT method, but >>> then >>> the connection between the UA and the proxy is described at an HTTPS2 >>> connection, and the proxy seems to have access to the request frames. >>> Specifically, a decryption key is passed in an HTTP2 frame. To add to >>> the >>> confusion, the title of this section is "Tunneling". The CONNECT method >>> does >>> go with the term "Tunneling", but then the TLS session is between the UA >>> and >>> the server, while the proxy only sees TLS records and cannot read any of >>> the >>> HTTP2 frames, which may share a TLS record, or span several TLS records. >>> With tunneling, the proxy does little more than moving packets back and >>> forth. >>> >>> The alternative to tunneling, that is sort-of described in section 4.2 >>> is >>> the use of a GET method. In this case the client really opens an >>> HTTPS(2) >>> connection to the proxy, and then sends a GET method for resource >>> "https://server.example.com/resource.html". The server has a totally >>> separate TLS connection with the server and tunnels the requests back >>> and >>> forth. If the proxy can reply to a request from its own cache, it may do >>> so. >>> If it is configured to inspect the content to filter out inappropriate >>> content, it can do that as well. *This* is a trusted proxy. A proxy with >>> tunneling does not need to be trusted any more than the Internet does. >>> >>> Lastly, section 4.2 says that the UA "tunnels" all requests towards the >>> same >>> web server in a single connection. In fact, the UA can tunnel all of its >>> requests towards all servers in the world through this connection. >>> Similarly, the proxy could unify the traffic for several UAs into a >>> single >>> connection with the server. This would work for normal servers, but do >>> we >>> know that no servers make any assumptions about requests based on TCP >>> connection? I know they shouldn't - that's what HTTP cookies are for - >>> but >>> it's possible that some do. >>> >>> Yoav >>> >>> >>> >>> On 10/1/14 1:51 PM, Salvatore Loreto wrote: >>>> >>>> >>>> Hi there, >>>> >>>> we have submitted a new draft with the aim to continue the discussion >>>> on >>>> explicit and trusted proxy as intermediary of HTTP2S traffic: >>>> >>>> >>>> http://www.ietf.org/internet-drafts/draft-loreto-httpbis-trusted-proxy20-00.txt >>>> >>>> >>>> The document proposes a method for an user agent to automatically >>>> discover (using the TLS Alert) and configure a proxy via a secure >>>> HTTP2.0 >>>> session. >>>> >>>> Moreover the document also draft two alternative mechanisms that allow >>>> the presence of HTTP2.0 secure proxies for TLS protected traffic when >>>> an >>>> user-agent >>>> is requesting an http resource. >>>> >>>> br >>>> Salvatore >>> >>> >>> >>> >> >
- new draft trusted-proxy20-00 Salvatore Loreto
- Re: new draft trusted-proxy20-00 Yoav Nir
- Re: new draft trusted-proxy20-00 Nicolas Mailhot
- Re: new draft trusted-proxy20-00 Adrien de Croy
- Re: new draft trusted-proxy20-00 Nicolas Mailhot
- Re: new draft trusted-proxy20-00 Peter Lepeska
- Re: new draft trusted-proxy20-00 Peter Lepeska
- Re: new draft trusted-proxy20-00 Adrien de Croy
- Re: new draft trusted-proxy20-00 Peter Lepeska
- Re: new draft trusted-proxy20-00 Adrien de Croy
- Re: new draft trusted-proxy20-00 Salvatore Loreto
- Re: new draft trusted-proxy20-00 Salvatore Loreto
- Re: new draft trusted-proxy20-00 Salvatore Loreto