RE: ext#9: OppSec and Proxies

"Richard Wheeldon (rwheeldo)" <rwheeldo@cisco.com> Wed, 02 July 2014 09:42 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 15A4B1B28DC for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 2 Jul 2014 02:42:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -15.153
X-Spam-Level:
X-Spam-Status: No, score=-15.153 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.651, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rNHxdioOBlVK for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 2 Jul 2014 02:42:55 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5E6A61B27E0 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Wed, 2 Jul 2014 02:42:55 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1X2H1g-0005aE-EJ for ietf-http-wg-dist@listhub.w3.org; Wed, 02 Jul 2014 09:40:28 +0000
Resent-Date: Wed, 02 Jul 2014 09:40:28 +0000
Resent-Message-Id: <E1X2H1g-0005aE-EJ@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <rwheeldo@cisco.com>) id 1X2H1X-0005ZV-HB for ietf-http-wg@listhub.w3.org; Wed, 02 Jul 2014 09:40:19 +0000
Received: from rcdn-iport-5.cisco.com ([173.37.86.76]) by maggie.w3.org with esmtps (TLS1.0:RSA_ARCFOUR_SHA1:16) (Exim 4.72) (envelope-from <rwheeldo@cisco.com>) id 1X2H1W-0001co-KY for ietf-http-wg@w3.org; Wed, 02 Jul 2014 09:40:19 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=1254; q=dns/txt; s=iport; t=1404294018; x=1405503618; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=r0zwSYbnVrZQ8PVBwo6DPjpcMcwQQJRf2KYCnbFzWEM=; b=cLS0BCxI7e2BhUjq7p3g0AwwQpShIp6g1BxX2D7To1UnDixtrqQp/eHD qVskL2/nnFrbKX5CkASNPyNwYDIuFJgBnZ3uVcnEGRk3NBE2oDQI+nQcg 2x2Whs0PfDVzlBeWI/ugwGJh/VgqnPhNk7gsOXCiaxELjwnwMhu5DNkh2 M=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AtAFAFLSs1OtJA2F/2dsb2JhbABagw1SWqs+AQEBAQEBBQFuAZlkAYEMFnWEAwEBAQQ6PxACAQgOBw0UCQcyFBECBA4FCIg6xUwXhW+IbhExB4MtgRYFrmmDQoFwQA
X-IronPort-AV: E=Sophos;i="5.01,587,1400025600"; d="scan'208";a="337207094"
Received: from alln-core-11.cisco.com ([173.36.13.133]) by rcdn-iport-5.cisco.com with ESMTP; 02 Jul 2014 09:39:48 +0000
Received: from xhc-aln-x06.cisco.com (xhc-aln-x06.cisco.com [173.36.12.80]) by alln-core-11.cisco.com (8.14.5/8.14.5) with ESMTP id s629dmv0015519 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Wed, 2 Jul 2014 09:39:48 GMT
Received: from xmb-rcd-x04.cisco.com ([169.254.8.176]) by xhc-aln-x06.cisco.com ([173.36.12.80]) with mapi id 14.03.0123.003; Wed, 2 Jul 2014 04:39:48 -0500
From: "Richard Wheeldon (rwheeldo)" <rwheeldo@cisco.com>
To: Mark Nottingham <mnot@mnot.net>
CC: HTTP Working Group <ietf-http-wg@w3.org>
Thread-Topic: ext#9: OppSec and Proxies
Thread-Index: AQHPlb78Yh9Y+4GayUm7hhQ94B7j4ZuMgpag
Date: Wed, 02 Jul 2014 09:39:47 +0000
Message-ID: <0566CA5E9B906D40B6737DD47DA9FB8F1B54310D@xmb-rcd-x04.cisco.com>
References: <6DC606AE-97A0-4958-BEAB-886D64B23F5C@mnot.net>
In-Reply-To: <6DC606AE-97A0-4958-BEAB-886D64B23F5C@mnot.net>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.147.76.21]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Received-SPF: pass client-ip=173.37.86.76; envelope-from=rwheeldo@cisco.com; helo=rcdn-iport-5.cisco.com
X-W3C-Hub-Spam-Status: No, score=-13.3
X-W3C-Hub-Spam-Report: AWL=-0.701, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5
X-W3C-Scan-Sig: maggie.w3.org 1X2H1W-0001co-KY a305ff82baa1bd499102767853c9e073
X-Original-To: ietf-http-wg@w3.org
Subject: RE: ext#9: OppSec and Proxies
Archived-At: <http://www.w3.org/mid/0566CA5E9B906D40B6737DD47DA9FB8F1B54310D@xmb-rcd-x04.cisco.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/25097
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

From: Mark Nottingham [mailto:mnot@mnot.net] 
 > Can the proxy advertise OppSec?

I'd really like the answer to this to be "yes". Consider a typical network layout for a guy in a coffee shop using his laptop:

	Client --- < Wifi > --- < ISPs > --- < Proxy > --- < ISPs > --- < Server >

The Wifi part of the picture is the dodgy part. That's the area of high latency, low bandwidth and high risk of direct attack (e.g. stolen credentials, malware, data loss and personal attacks as opposed to NSA style monitoring). Cisco have a product called AnyConnect which is a pretty popular VPN client. Less well known is that it also has a mode in which all Web traffic is sent to Cloud Web Security (the big proxy in the cloud). Since it's designed to be used on laptops in these sort of scenarios, it upgrades all connections to TLS for security. However, this requires custom software on the endpoint with a client that knows a lot less about page structure and user-activity than the browser does. It'd be much neater, faster and cleaner if we could just kick the browser into doing HTTP/2 over TLS and leave the client as a dumb bit-mover. Similar arguments can be made for other proxies,

Regards,

Richard