IETF Logo Mail Archive

RE: The future of forward proxy servers in an http/2 over TLS world

Mike Bishop <Michael.Bishop@microsoft.com> Wed, 15 February 2017 20:54 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2E07B1297EF for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 15 Feb 2017 12:54:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7
X-Spam-Level:
X-Spam-Status: No, score=-7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tiESpgXXd0_z for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 15 Feb 2017 12:54:45 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9480E129717 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Wed, 15 Feb 2017 12:54:45 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1ce6ZP-0002dD-4K for ietf-http-wg-dist@listhub.w3.org; Wed, 15 Feb 2017 20:52:59 +0000
Resent-Date: Wed, 15 Feb 2017 20:52:59 +0000
Resent-Message-Id: <E1ce6ZP-0002dD-4K@frink.w3.org>
Received: from mimas.w3.org ([128.30.52.79]) by frink.w3.org with esmtps (TLS1.2:RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <Michael.Bishop@microsoft.com>) id 1ce6ZI-0002Sm-Pb for ietf-http-wg@listhub.w3.org; Wed, 15 Feb 2017 20:52:52 +0000
Received: from mail-cys01nam02on0129.outbound.protection.outlook.com ([104.47.37.129] helo=NAM02-CY1-obe.outbound.protection.outlook.com) by mimas.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA384:256) (Exim 4.84_2) (envelope-from <Michael.Bishop@microsoft.com>) id 1ce6Z9-0006FE-SP for ietf-http-wg@w3.org; Wed, 15 Feb 2017 20:52:47 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=WQ//dcOO+1E4imStcnxYautTDmLbGnY3nxyxyCKrMlg=; b=WEajeVotwTlSnmwGdBBjDF7wY9aZOppgCeJXqr9llL7XSG0l1Sc9CcO1QA/5BwJWpnhMvGJVf9c11xxQl2TvvncC83H2qJG+dhWYPPwhEtLJ8Ai+UPO2wJtCZPKXD5RIglFvtIPG9Ydtn90ndBGwNCEaz26A9HsDbupYsWBL/mI=
Received: from BN6PR03MB2708.namprd03.prod.outlook.com (10.173.144.15) by BN6PR03MB2705.namprd03.prod.outlook.com (10.173.144.12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.888.16; Wed, 15 Feb 2017 20:52:14 +0000
Received: from BN6PR03MB2708.namprd03.prod.outlook.com ([10.173.144.15]) by BN6PR03MB2708.namprd03.prod.outlook.com ([10.173.144.15]) with mapi id 15.01.0888.030; Wed, 15 Feb 2017 20:52:14 +0000
From: Mike Bishop <Michael.Bishop@microsoft.com>
To: Adrien de Croy <adrien@qbik.com>, Ryan Hamilton <rch@google.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Thread-Topic: The future of forward proxy servers in an http/2 over TLS world
Thread-Index: AQHSh8bp5mADAM3rNEGwNy4vxt1oCaFqfu4AgAABAgCAAAivBIAAAFBg
Date: Wed, 15 Feb 2017 20:52:14 +0000
Message-ID: <BN6PR03MB27084197C5FFEBD76E19C738875B0@BN6PR03MB2708.namprd03.prod.outlook.com>
References: <emde1bfa93-84c0-49f7-83a4-b9bed24e0276@bodybag> <20170215193126.C090E1F063@welho-filter1.welho.com> <embaebd293-2d9d-4e45-9048-2763e892ceb0@bodybag> <CAOdDvNpR5i4xu9viAXD2ioG5W096xAHz4EHzByQL8ZN4FO-sTg@mail.gmail.com> <emcb751fb1-f781-46c5-b888-0af8b1c2af7f@bodybag> <CAJ_4DfSZT_7LhWyt=O1J7i8pGSpv619ekr5OSk75LeQnwsEHRA@mail.gmail.com> <emd82135a2-56a0-49c9-908f-109a740d7441@bodybag> <CAJ_4DfTgzzqJKy1QL2YGS7FyaECBA_GeQt5+gn4hrQnB6h3FTg@mail.gmail.com> <em2b16b855-c719-422a-9488-6c34893e2432@bodybag>
In-Reply-To: <em2b16b855-c719-422a-9488-6c34893e2432@bodybag>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Bishop@microsoft.com;
x-originating-ip: [2001:4898:80e8:7::51f]
x-ms-office365-filtering-correlation-id: 86773a32-ecfc-4309-161e-08d455e48559
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(48565401081); SRVR:BN6PR03MB2705;
x-microsoft-exchange-diagnostics: 1; BN6PR03MB2705; 7:F4VU9BfC4S1UrQoFOlAfdPdsazyGsFnqxHInq5XVlOrBr5peVNEXFoUf5AC/j6cWGryP34+0/mzXKGc+/GAHMH8DP7w0O8DvBwNwgoARIc4si2gpuNzY2eYASfHuy//QrH5OpimidydHycw2NQue66/Z3d2IrxL1sFUIBqDuiX5mRRRWWcjtU+l83dzTFGhUhMUd6OPbFBUsa3/gvKhwT9VnzWf02mn6oaiCSrR7v236LWYVD/ZN8J2XbiRqrA8ceVIh0RKYVJ0IDjhm9+DJz+P6vLaf3q4XOvZh9I+6/mLPb1IkwqK8kqqaPo9qyfwlvcsFQATkmI5v38KgFtS3Eqeqiv7MPdbl/N3l0ezs7rk=
x-microsoft-antispam-prvs: <BN6PR03MB27053C5A3AA780D026562C3A875B0@BN6PR03MB2705.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(211936372134217)(21748063052155)(21532816269658);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040375)(601004)(2401047)(5005006)(8121501046)(10201501046)(3002001)(6055026)(61426038)(61427038)(6041248)(20161123562025)(20161123560025)(20161123564025)(20161123555025)(20161123558025)(6042181)(6072148); SRVR:BN6PR03MB2705; BCL:0; PCL:0; RULEID:; SRVR:BN6PR03MB2705;
x-forefront-prvs: 021975AE46
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(7916002)(13464003)(189002)(199003)(377454003)(24454002)(81166006)(8676002)(8990500004)(3280700002)(81156014)(7906003)(8936002)(93886004)(189998001)(105586002)(1680700002)(106116001)(7736002)(2501003)(122556002)(3660700001)(74316002)(790700001)(2900100001)(2906002)(54896002)(106356001)(6116002)(102836003)(389900002)(92566002)(55016002)(99286003)(236005)(551544002)(9686003)(6306002)(97736004)(68736007)(229853002)(606005)(54356999)(50986999)(76176999)(6506006)(10090500001)(33656002)(2950100002)(101416001)(53386004)(38730400002)(25786008)(10290500002)(6436002)(5660300001)(6246003)(5005710100001)(86362001)(86612001)(77096006)(19609705001)(53936002)(7696004); DIR:OUT; SFP:1102; SCL:1; SRVR:BN6PR03MB2705; H:BN6PR03MB2708.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_BN6PR03MB27084197C5FFEBD76E19C738875B0BN6PR03MB2708namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Feb 2017 20:52:14.0732 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR03MB2705
Received-SPF: pass client-ip=104.47.37.129; envelope-from=Michael.Bishop@microsoft.com; helo=NAM02-CY1-obe.outbound.protection.outlook.com
X-W3C-Hub-Spam-Status: No, score=-3.9
X-W3C-Hub-Spam-Report: AWL=-2.377, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, W3C_NW=0.5
X-W3C-Scan-Sig: mimas.w3.org 1ce6Z9-0006FE-SP 2a773dc9102db6f9f0cab120fb2e71ef
X-Original-To: ietf-http-wg@w3.org
Subject: RE: The future of forward proxy servers in an http/2 over TLS world
Archived-At: <http://www.w3.org/mid/BN6PR03MB27084197C5FFEBD76E19C738875B0@BN6PR03MB2708.namprd03.prod.outlook.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/33539
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

No, CONNECT is HTTP, full stop.  The use of that method is defined for HTTP/1.1, HTTP/2, and even HTTP/QUIC.  You can speak HTTP/2 to a proxy if you want – you get a multiplexed connection to the proxy, and what the proxy uses on the back-end is opaque to you.

I’m somewhat sympathetic to the complaint that we’ve doubled down on two-party communication when there are legitimate use cases for having a third party with some level of access to the traffic.  The problem is that these use cases run the gamut as to how much access they need, and they’re equally applicable to illegitimate cases.  (Or rather, cases *I* perceive as illegitimate, since that’s a policy judgement and not a technical one.)

Groups such as IEEE’s Encrypted Traffic Inspection working group are trying to build something like this, but they make me nervous.  You can’t build a mechanism into a protocol that restricts it to virtuous uses – see RFC3751 for a good example here.  The best that can be achieved is to surface to the user an authenticated identity of who’s spying on their traffic – but we all know the outcome of user dialogs asking “would you like to agree to some technical gobbledygook, or would you like to not see your dancing kittens?”

From: Adrien de Croy [mailto:adrien@qbik.com]
Sent: Wednesday, February 15, 2017 12:40 PM
To: Ryan Hamilton <rch@google.com>; ietf-http-wg@w3.org
Subject: Re: The future of forward proxy servers in an http/2 over TLS world



------ Original Message ------
From: "Ryan Hamilton" <rch@google.com<mailto:rch@google.com>>
To: "Adrien de Croy" <adrien@qbik.com<mailto:adrien@qbik.com>>
Sent: 16/02/2017 9:26:37 AM
Subject: Re: The future of forward proxy servers in an http/2 over TLS world

I'm not sure what a "Trusted proxy" means in this context. If the proxy can mint certificates that are trusted by the browser, then the proxy can terminate TLS connections at the proxy and impersonate the origin. This is a supported use-case in Chrome (and other browsers).
minting certs is a MitM function.  I wasn't referring to that.

But if the proxy can mint certs that are trusted by the browser, the question is how is that.  The proxy would need to be using a signing cert that is trusted by the browser, and how did it get installed in the browser?

In any case as per my original post, MitM is getting squeezed out by HSTS, PKP etc.  Instead of promoting an arms-race between client vendors and proxy vendors (e.g. our current next step is to attack HSTS and PKP to enable us to continue to display block pages that don't cause our customers headaches) how about we work together to allow decent secure blocking of requests?

Blocking is a completely legitimate need in corporate networks and others.

Currently the balance of power has swung to the user, whether that's a child surfing where he/she shouldn't or whoever.

Blocking has become less precise, and the way it's going will have to be done at the IP or TCP level.  The lower the level you block at, the worse the user experience, and the more time wasted in organisations chasing phantoms mis-reported by browsers.

Does h2 even support a proxy?  CONNECT is HTTP/1

Adrien




On Wed, Feb 15, 2017 at 12:23 PM, Adrien de Croy <adrien@qbik.com<mailto:adrien@qbik.com>> wrote:

how did they trust the proxy?

I'm suggesting trusted proxy, which means the proxy would need to use a cert trusted by the client.

I'd go further and say we need to do better than proxy auto-detect as well - it needs to be secured.

Adrien


------ Original Message ------
From: "Ryan Hamilton" <rch@google.com<mailto:rch@google.com>>
To: "Adrien de Croy" <adrien@qbik.com<mailto:adrien@qbik.com>>
Sent: 16/02/2017 9:22:06 AM
Subject: Re: The future of forward proxy servers in an http/2 over TLS world

On Wed, Feb 15, 2017 at 12:11 PM, Adrien de Croy <adrien@qbik.com<mailto:adrien@qbik.com>> wrote:
We already support this with WinGate and I've verified it with Chrome and Firefox.  In that case couldn't the client trust an error response body from CONNECT?

​We used to do this in Chrome, but removed it because of the potential for phishing. Here's just on example

Imagine that at user has their browser configured to do proxy auto discovery. They walk into a cafe and join a wireless network which sends their traffic to a malicious proxy. The user types https://mail.example.com/, and is presented with a CONNECT error page whose contents look exactly like the actual mail.example.com<http://mail.example.com> login page to which they dutifully type their username and password.

v2.23.0 | Report a Bug | By Email