IETF Logo Mail Archive

Re: The future of forward proxy servers in an http/2 over TLS world

Dave Dolson <ddolson@sandvine.com> Tue, 14 February 2017 23:50 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 135AF12996E for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 14 Feb 2017 15:50:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.901
X-Spam-Level:
X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9utNusNYoGnx for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 14 Feb 2017 15:50:10 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8F45E129967 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Tue, 14 Feb 2017 15:50:10 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1cdmpG-0001HG-Rd for ietf-http-wg-dist@listhub.w3.org; Tue, 14 Feb 2017 23:48:02 +0000
Resent-Date: Tue, 14 Feb 2017 23:48:02 +0000
Resent-Message-Id: <E1cdmpG-0001HG-Rd@frink.w3.org>
Received: from titan.w3.org ([128.30.52.76]) by frink.w3.org with esmtps (TLS1.2:RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <ddolson@sandvine.com>) id 1cdmpB-0001GR-CC for ietf-http-wg@listhub.w3.org; Tue, 14 Feb 2017 23:47:57 +0000
Received: from mail1.sandvine.com ([64.7.137.134]) by titan.w3.org with esmtps (TLS1.0:ECDHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.84_2) (envelope-from <ddolson@sandvine.com>) id 1cdmp4-0008CO-PZ for ietf-http-wg@w3.org; Tue, 14 Feb 2017 23:47:51 +0000
Received: from WTL-EXCHP-1.sandvine.com ([fe80::ac6b:cc1e:f2ff:93aa]) by wtl-exchp-2.sandvine.com ([::1]) with mapi id 14.03.0319.002; Tue, 14 Feb 2017 18:47:27 -0500
From: Dave Dolson <ddolson@sandvine.com>
To: Adrien de Croy <adrien@qbik.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Thread-Topic: The future of forward proxy servers in an http/2 over TLS world
Thread-Index: AdKHHLI+nopHjs2kmUqnJANOb1IpRA==
Date: Tue, 14 Feb 2017 23:47:26 +0000
Message-ID: <20170214234724.8495190.85030.137008@sandvine.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-c2processedorg: b2f06e69-072f-40ee-90c5-80a34e700794
Content-Type: multipart/alternative; boundary="_000_20170214234724849519085030137008sandvinecom_"
MIME-Version: 1.0
Received-SPF: softfail client-ip=64.7.137.134; envelope-from=ddolson@sandvine.com; helo=mail1.sandvine.com
X-W3C-Hub-Spam-Status: No, score=-5.1
X-W3C-Hub-Spam-Report: AWL=-1.823, BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_SOFTFAIL=0.665, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: titan.w3.org 1cdmp4-0008CO-PZ 8a62aab28ac992bea1de9334052514d8
X-Original-To: ietf-http-wg@w3.org
Subject: Re: The future of forward proxy servers in an http/2 over TLS world
Archived-At: <http://www.w3.org/mid/20170214234724.8495190.85030.137008@sandvine.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/33511
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Proxies may also provide anonymity, which can improve privacy.

Depending, of course, whether you trust the server or the proxy more.



From: Adrien de Croy
Sent: Tuesday, February 14, 2017 5:41 PM
To: ietf-http-wg@w3.org
Reply To: Adrien de Croy
Subject: The future of forward proxy servers in an http/2 over TLS world



At the moment, it feels like the functions provided by proxy servers are being squeezed out by changes in the protocol.

I can understand the desire for privacy, and we've had the argument about whether it should be available to all or not too many times already.

However, there are other functions that a proxy is commonly used for that are becoming impossible with the direction TLS, HTTPS HSTS, cert pinning etc are going.

Whilst I can understand a desire and need for privacy, an ability to be able to go to a website without betraying which site you're going to (e.g. see https://tools.ietf.org/html/draft-schwartz-dns-sni-01) there's probably 1 remaining IMO critical bona fide purpose for a proxy which is becoming very problematic for users.

Blocking requests.

So, do we feel there is still a place for blocking requests?  Our customers still certainly want this.

Currently the user experience is either appalling (generic connectivity failure report which wastes a lot of user time), or requires deployment of a MitM, which is being squeezed out as well.  We should be able to do better, but it doesn't appear to be being addressed at all, and the gulf is widening.

I believe we need to put some time into working out how we can allow a proxy to block requests without an awful user experience that costs users and tech support countless hours to deal with.

This means we have a need to be able to respond to CONNECT with a denial, and some kind of message that can be displayed to the user.

It may be that the only way this can be achieved is by the concept of a trusted proxy.

Otherwise if the group consensus is that requests should not be blocked, we need to deal with the consequences of that.

Adrien

P.s. another key feature is caching, but that is becoming less useful anyway.  Customers can often live without caching, they do not tolerate being unable to block however.

v2.23.0 | Report a Bug | By Email