Re: The future of forward proxy servers in an http/2 over TLS world
Amos Jeffries <squid3@treenet.co.nz> Fri, 17 February 2017 04:26 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1EDC4129434 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 16 Feb 2017 20:26:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.901
X-Spam-Level:
X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eM6VgYFPy9la for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 16 Feb 2017 20:26:20 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8D4E6120726 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Thu, 16 Feb 2017 20:26:20 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1cea4R-0005Je-Pp for ietf-http-wg-dist@listhub.w3.org; Fri, 17 Feb 2017 04:22:59 +0000
Resent-Date: Fri, 17 Feb 2017 04:22:59 +0000
Resent-Message-Id: <E1cea4R-0005Je-Pp@frink.w3.org>
Received: from mimas.w3.org ([128.30.52.79]) by frink.w3.org with esmtps (TLS1.2:RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <squid3@treenet.co.nz>) id 1cea4K-0005It-FD for ietf-http-wg@listhub.w3.org; Fri, 17 Feb 2017 04:22:52 +0000
Received: from [121.99.228.82] (helo=treenet.co.nz) by mimas.w3.org with esmtp (Exim 4.84_2) (envelope-from <squid3@treenet.co.nz>) id 1cea4D-0007GA-CO for ietf-http-wg@w3.org; Fri, 17 Feb 2017 04:22:47 +0000
Received: from [192.168.20.251] (unknown [121.98.40.15]) by treenet.co.nz (Postfix) with ESMTP id 94817E6F04 for <ietf-http-wg@w3.org>; Fri, 17 Feb 2017 17:22:10 +1300 (NZDT)
To: ietf-http-wg@w3.org
References: <emde1bfa93-84c0-49f7-83a4-b9bed24e0276@bodybag> <CA+3+x5GV9MdYOP3gHLABe+=GVVKf7ugbMWHquuzVHGCbwY-s5w@mail.gmail.com> <6ff3c0ab-0e67-c175-194e-dbd8fbb55788@measurement-factory.com> <CA+3+x5HfMLgOyU+dONxMFi82OmC5EybrqmyVRRCi3nmw3PEJkQ@mail.gmail.com>
From: Amos Jeffries <squid3@treenet.co.nz>
Message-ID: <e3fd2ede-9877-a4e5-bd7e-a0a165969ff6@treenet.co.nz>
Date: Fri, 17 Feb 2017 17:22:04 +1300
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.7.1
MIME-Version: 1.0
In-Reply-To: <CA+3+x5HfMLgOyU+dONxMFi82OmC5EybrqmyVRRCi3nmw3PEJkQ@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Received-SPF: pass client-ip=121.99.228.82; envelope-from=squid3@treenet.co.nz; helo=treenet.co.nz
X-W3C-Hub-Spam-Status: No, score=-4.3
X-W3C-Hub-Spam-Report: AWL=-1.172, BAYES_00=-1.9, RDNS_NONE=0.793, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1cea4D-0007GA-CO 61779d79617f3ed63a2a93d996246763
X-Original-To: ietf-http-wg@w3.org
Subject: Re: The future of forward proxy servers in an http/2 over TLS world
Archived-At: <http://www.w3.org/mid/e3fd2ede-9877-a4e5-bd7e-a0a165969ff6@treenet.co.nz>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/33563
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
On 17/02/2017 9:17 a.m., Tom Bergan wrote: > Ok, I see that I unintentionally stepped on a landmine. Sorry. > > On Thu, Feb 16, 2017 at 11:47 AM, Alex Rousskov wrote: > >> On 02/16/2017 11:25 AM, Tom Bergan wrote: >> >>> You started by stating, without proof, that proxies are needed to block >>> requests. >> >> Adrien did not state that at all! He actually stated that >> >> * proxies are used to block requests; >> * blocking requests is a critical proxy purpose; >> * blocking by proxy becomes increasingly difficult or even impossible >> due to ongoing protocol changes >> >> All are well-known facts that do not require a proof, I hope. >> >> [ If you are implying that requests should never be blocked or should >> only be blocked by user agents, then I hope that other folks on the >> mailing list can prove you wrong without appearing to be as biased as a >> proxy developer would. ] > > > Yes, I'm asking why the blocking needs to happen in a proxy. For example, > Chrome's SafeBrowsing feature doesn't use a proxy. Your client is a willing > participant that will customize their software and configuration as you ask > them. Why does the protocol for deciding what to block necessarily need to > happen over a proxy, rather than a side-channel? Maybe I'm being naive and > don't know all the obvious reasons why a proxy is needed and a side-channel > won't work. Has someone written an RFC describing why? > Here is one reason: https://tools.ietf.org/html/rfc7725 The Browser behaviour of censoring the intermediary generated error text prevents ISP and all other non-CDN entities from using that status code in protest or to inform the user base about network censorship and other unjust restrictions. The problem is not limited to proxies, we are just the WG members speaking up about the problem. A firewall could blindly respond with the byte string of a HTTP 4xx/5xx response and it would be censored on HTTPS traffic just as much as any proxy. Basically the Browser behaviour is colluding to perform censorship. Amos
- The future of forward proxy servers in an http/2 … Adrien de Croy
- Re: The future of forward proxy servers in an htt… Dave Dolson
- Re: The future of forward proxy servers in an htt… Adrien de Croy
- Re: The future of forward proxy servers in an htt… Poul-Henning Kamp
- Re: The future of forward proxy servers in an htt… Adrien de Croy
- Re: The future of forward proxy servers in an htt… Kari Hurtta
- Re: The future of forward proxy servers in an htt… Alex Rousskov
- Re: The future of forward proxy servers in an htt… Adrien de Croy
- Re: The future of forward proxy servers in an htt… Patrick McManus
- Re: The future of forward proxy servers in an htt… Adrien de Croy
- Re: The future of forward proxy servers in an htt… Patrick McManus
- Re: The future of forward proxy servers in an htt… Ryan Hamilton
- Re: The future of forward proxy servers in an htt… Adrien de Croy
- Re: The future of forward proxy servers in an htt… Adrien de Croy
- Re: The future of forward proxy servers in an htt… Adrien de Croy
- Re: The future of forward proxy servers in an htt… Adrien de Croy
- Re: The future of forward proxy servers in an htt… Patrick McManus
- RE: The future of forward proxy servers in an htt… Mike Bishop
- Re: The future of forward proxy servers in an htt… Adrien de Croy
- Re: The future of forward proxy servers in an htt… Alex Rousskov
- Re: The future of forward proxy servers in an htt… Adrien de Croy
- Re: The future of forward proxy servers in an htt… Adrien de Croy
- Re: The future of forward proxy servers in an htt… Adrien de Croy
- Re: The future of forward proxy servers in an htt… Kari Hurtta
- Re: The future of forward proxy servers in an htt… Alex Rousskov
- Re: The future of forward proxy servers in an htt… Tom Bergan
- Re: The future of forward proxy servers in an htt… Alex Rousskov
- Re: The future of forward proxy servers in an htt… Poul-Henning Kamp
- Re: The future of forward proxy servers in an htt… Kari Hurtta
- Re: The future of forward proxy servers in an htt… Tom Bergan
- Re: The future of forward proxy servers in an htt… Adrien de Croy
- Re: The future of forward proxy servers in an htt… Roland Zink
- Re: The future of forward proxy servers in an htt… Ryan Hamilton
- Re: The future of forward proxy servers in an htt… Amos Jeffries
- Re: The future of forward proxy servers in an htt… Adrien de Croy
- Re: The future of forward proxy servers in an htt… Kari Hurtta
- Re: The future of forward proxy servers in an htt… Adrien de Croy
- Re: The future of forward proxy servers in an htt… Kari Hurtta
- Re: The future of forward proxy servers in an htt… Willy Tarreau
- Re: The future of forward proxy servers in an htt… Tom Bergan
- Re: The future of forward proxy servers in an htt… Adrien de Croy
- Re: The future of forward proxy servers in an htt… nicolas.mailhot
- Re: The future of forward proxy servers in an htt… Francesco Chemolli
- Re: The future of forward proxy servers in an htt… Chris Bentzel
- Re: The future of forward proxy servers in an htt… Mark Nottingham
- Re: The future of forward proxy servers in an htt… Alex Rousskov
- Re: The future of forward proxy servers in an htt… Mark Nottingham
- Re: The future of forward proxy servers in an htt… Alex Rousskov
- Re: The future of forward proxy servers in an htt… Willy Tarreau
- Re: The future of forward proxy servers in an htt… Poul-Henning Kamp
- Re: The future of forward proxy servers in an htt… Patrick McManus
- Re: The future of forward proxy servers in an htt… Willy Tarreau
- Re: The future of forward proxy servers in an htt… Kari Hurtta
- Re: The future of forward proxy servers in an htt… Alex Rousskov
- Re: The future of forward proxy servers in an htt… Poul-Henning Kamp
- Re: The future of forward proxy servers in an htt… Roland Zink
- UI | Re: The future of forward proxy servers in a… Kari Hurtta
- Re: The future of forward proxy servers in an htt… Poul-Henning Kamp
- forward HTTPS proxy | Re: The future of forward p… Kari Hurtta
- RE: forward HTTPS proxy | Re: The future of forwa… Mike Bishop
- Re: forward HTTPS proxy | Re: The future of forwa… Alex Rousskov
- Re: forward HTTPS proxy | Re: The future of forwa… Kari Hurtta
- Re: forward HTTPS proxy | Re: The future of forwa… Kari Hurtta
- Re: forward HTTPS proxy | Re: The future of forwa… Kari Hurtta
- Re: The future of forward proxy servers in an htt… Adrien de Croy
- Re: The future of forward proxy servers in an htt… Tom Bergan