Secure Proxy Clarifications
John Mattsson <john.mattsson@ericsson.com> Wed, 26 February 2014 17:06 UTC
Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 453151A06D9 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 26 Feb 2014 09:06:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.049
X-Spam-Level:
X-Spam-Status: No, score=-6.049 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.547, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1-o3Sn9wSJZX for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 26 Feb 2014 09:06:20 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id 2AD231A005F for <httpbisa-archive-bis2Juki@lists.ietf.org>; Wed, 26 Feb 2014 09:06:20 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1WIhul-0006Pg-5o for ietf-http-wg-dist@listhub.w3.org; Wed, 26 Feb 2014 17:04:59 +0000
Resent-Date: Wed, 26 Feb 2014 17:04:59 +0000
Resent-Message-Id: <E1WIhul-0006Pg-5o@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <john.mattsson@ericsson.com>) id 1WIhuZ-0006O6-H1 for ietf-http-wg@listhub.w3.org; Wed, 26 Feb 2014 17:04:47 +0000
Received: from mailgw1.ericsson.se ([193.180.251.45]) by lisa.w3.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.72) (envelope-from <john.mattsson@ericsson.com>) id 1WIhuX-0002n5-Ud for ietf-http-wg@w3.org; Wed, 26 Feb 2014 17:04:47 +0000
X-AuditID: c1b4fb2d-b7f5d8e000002a7b-0b-530e1e976271
Received: from ESESSHC002.ericsson.se (Unknown_Domain [153.88.253.124]) by mailgw1.ericsson.se (Symantec Mail Security) with SMTP id 1B.0A.10875.79E1E035; Wed, 26 Feb 2014 18:04:23 +0100 (CET)
Received: from ESESSMB307.ericsson.se ([169.254.7.220]) by ESESSHC002.ericsson.se ([153.88.183.24]) with mapi id 14.02.0387.000; Wed, 26 Feb 2014 18:04:22 +0100
From: John Mattsson <john.mattsson@ericsson.com>
To: HTTP Working Group <ietf-http-wg@w3.org>
Thread-Topic: Secure Proxy Clarifications
Thread-Index: AQHPMxTLF38LtJUPVE6wRTkUYVQcmA==
Date: Wed, 26 Feb 2014 17:04:22 +0000
Message-ID: <CF33DD32.CABE%john.mattsson@ericsson.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.3.9.131030
x-originating-ip: [153.88.183.150]
Content-Type: text/plain; charset="utf-8"
Content-ID: <21707E7FF7A407418D7F8CF532541B8E@ericsson.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrPLMWRmVeSWpSXmKPExsUyM+Jvje50Ob5gg+NLpSwOt8xicmD0ODpv P2sAYxSXTUpqTmZZapG+XQJXxqs5v1gLzohWbOuZxt7A2CLaxcjJISFgIjHx0GY2CFtM4sK9 9UA2F4eQwCFGiZvvOqGcJYwSm658ZQSpYhMwkJi7pwGsQ0RAR6KjZTETiC0soCJxd8N2Roi4 pkTfm0XMELaexPMJ28BqWARUJb6ev8QCYvMKmEksP38PLM4ItPn7qTVgNrOAuMStJ/OZIC4S kFiy5zwzhC0q8fLxP1YQWxRo5r1Hc1kg4koSK7ZfAtrLAdSrKbF+lz6EaS2x8J0pxERFiSnd D9khtgpKnJz5hGUCo+gsJMtmITTPQmiehaR5FpLmBYysqxjZcxMzc9LLDTcxAiPh4JbfujsY T50TOcQozcGiJM774a1zkJBAemJJanZqakFqUXxRaU5q8SFGJg5OKWDYP9oUP4vr79OuBX/P fl++eNs1x/mHzqz2EI04csyvVKl2/ts796tnzdZ9eTDB94qm2NMp/91F1F6UqCmo196JPqa8 KdVUQsc50Z3VPOjBefP5s13eWX5Sn1kksMDk2eZ8vfUvSz1kVKbGmm80NZlm+7Yl62ZEEs+f S8pTvRLj1sd8fCAn/PKLEktxRqKhFnNRcSIAJMPzpVICAAA=
Received-SPF: pass client-ip=193.180.251.45; envelope-from=john.mattsson@ericsson.com; helo=mailgw1.ericsson.se
X-W3C-Hub-Spam-Status: No, score=-4.3
X-W3C-Hub-Spam-Report: AWL=-1.967, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001
X-W3C-Scan-Sig: lisa.w3.org 1WIhuX-0002n5-Ud daec0eb4d3364adcf13fed49902720f3
X-Original-To: ietf-http-wg@w3.org
Subject: Secure Proxy Clarifications
Archived-At: <http://www.w3.org/mid/CF33DD32.CABE%25john.mattsson@ericsson.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/22450
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Hi, I would like to post some clarifications regarding the secure proxy draft (draft-loreto-httpbis-trusted-proxy20-01). I think such discussion should be done here and not somewhere else. - As the suggested solution does not proxy all traffic (e.g. https:// or opt-out) it will be called "secure proxy" instead of trusted proxy as suggested on the list. - “Secure proxy" does not affect https:// resources in any way, such resources are always protected end-to-end as intended. The draft also embraces the decision to allow encryption of http:// resources, which mitigate attacks when using e.g. unencrypted hotspots. - The draft specifies that the user will always become aware of the presence of a "secure proxy". She/he needs to give consent; otherwise the secure proxy is not included in the communication at all. And even if the user has given consent, the user may opt-out for specific connections. An implementation might even choose to always opt-out of all secure proxies. The uses and need for proxies has been extensively discussed in the httpbis wg. Proxies are currently used by enterprises, browser vendors, operators, and applications. Today that usage is often done without any user consent, without opt-out, sometimes without the user knowing, and sometimes done in ways that weakens the user’s security. The secure proxy draft does not introduce the possibility to use proxies. With or without the draft, there will exist other ways to insert proxies. What the draft does is to provide a much more secure way to do so and to give the user power to decide whether to allow proxies or not. Thanks, JOHN MATTSSON MSc Engineering Physics, MSc Business Administration and Economics Ericsson IETF Security Coordinator Senior Researcher, Security Ericsson AB Security Research Färögatan 6 SE-164 80 Stockholm, Sweden Phone +46 10 71 43 501 SMS/MMS +46 76 11 53 501 john.mattsson@ericsson.com www.ericsson.com <http://www.ericsson.com/>
- Secure Proxy Clarifications John Mattsson