IETF Logo Mail Archive

Re: HTTPS, proxy environment variables and non-CONNECT access

Robert Collins <robertc@squid-cache.org> Tue, 16 July 2013 10:16 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E2EB321E81E4 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 16 Jul 2013 03:16:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.977
X-Spam-Level:
X-Spam-Status: No, score=-9.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j0luY8LXPbJY for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 16 Jul 2013 03:16:43 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id 48BAE11E8294 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Tue, 16 Jul 2013 03:16:36 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1Uz2IX-000616-Gx for ietf-http-wg-dist@listhub.w3.org; Tue, 16 Jul 2013 10:15:57 +0000
Resent-Date: Tue, 16 Jul 2013 10:15:57 +0000
Resent-Message-Id: <E1Uz2IX-000616-Gx@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <robertc@robertcollins.net>) id 1Uz2IO-0005zm-O1 for ietf-http-wg@listhub.w3.org; Tue, 16 Jul 2013 10:15:48 +0000
Received: from mail-ob0-f170.google.com ([209.85.214.170]) by maggie.w3.org with esmtps (TLS1.0:RSA_ARCFOUR_SHA1:16) (Exim 4.72) (envelope-from <robertc@robertcollins.net>) id 1Uz2IN-00016G-Sl for ietf-http-wg@w3.org; Tue, 16 Jul 2013 10:15:48 +0000
Received: by mail-ob0-f170.google.com with SMTP id ef5so534291obb.29 for <ietf-http-wg@w3.org>; Tue, 16 Jul 2013 03:15:22 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:sender:x-originating-ip:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding:x-gm-message-state; bh=d+a00M72ui+3vPfDpy3tR+Dh+ZNlGNFe6p6uScDTwys=; b=i52jt7NLjwh6iuXJasy6aZVeU40XPHn0CzUGQblFLHpDwjEYv5iyrYgQmqFXAcL8M0 5I5YZg+ZMhUQBOHHeNrOcZAYQtf3psYltojYQq+of3tVve9uotvz8gHVKelr1gULgBkW IF8bmHUMQBnDYjrpfF1r0d/iHi96TCBNbUyhMnqhJgCznZeaHTTIv9WTcyPogEaVjBqn Q7POFWiYpO11OGtgamnSvruJisqxdDsfVIqqMZfxQuRGu7cXSmtwTDDky46REBSFsO7h s/PkT06mrIeUEvVPF8weN+BEY7/jyX6v6PSY8+Q4DBam35Et+Ly/lkZM484xAdkQhgLx eDag==
MIME-Version: 1.0
X-Received: by 10.60.103.115 with SMTP id fv19mr960315oeb.74.1373969721932; Tue, 16 Jul 2013 03:15:21 -0700 (PDT)
Sender: robertc@robertcollins.net
Received: by 10.76.13.138 with HTTP; Tue, 16 Jul 2013 03:15:21 -0700 (PDT)
X-Originating-IP: [122.58.129.196]
In-Reply-To: <869fb0e8ac47fdd512a264dea91bb436.squirrel@arekh.dyndns.org>
References: <CAJ3HoZ3ZuBwAZWrsgrZkoBejeH0t0uJRWAdiy1eKKbQwM3xx5g@mail.gmail.com> <d7ed4bf5bf3c9aa0cad0f9bb2296dc53.squirrel@arekh.dyndns.org> <CAJ3HoZ2Pmtq0uAM8hS2sukH14Yn=dq0K192LzcgXQdRaOyGBpQ@mail.gmail.com> <869fb0e8ac47fdd512a264dea91bb436.squirrel@arekh.dyndns.org>
Date: Tue, 16 Jul 2013 22:15:21 +1200
X-Google-Sender-Auth: qpfAqnVJYMVvWdELUnT4fe8ah2A
Message-ID: <CAJ3HoZ05kw_0qw7wVA9+-FFiQZUE0tZoM8pTfp8XsP_sMKX-3w@mail.gmail.com>
From: Robert Collins <robertc@squid-cache.org>
To: Nicolas Mailhot <nicolas.mailhot@laposte.net>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Gm-Message-State: ALoCoQmyESQQiEiB7aR4u2MudKetudASPJbxJueIny1P58RnJPCqPJu1ixXNK67Or8wBAIl8Rds6
Received-SPF: none client-ip=209.85.214.170; envelope-from=robertc@robertcollins.net; helo=mail-ob0-f170.google.com
X-W3C-Hub-Spam-Status: No, score=-3.0
X-W3C-Hub-Spam-Report: AWL=-2.325, RCVD_IN_DNSWL_LOW=-0.7
X-W3C-Scan-Sig: maggie.w3.org 1Uz2IN-00016G-Sl b2f3fadf7665089e2e5924e7eae14f74
X-Original-To: ietf-http-wg@w3.org
Subject: Re: HTTPS, proxy environment variables and non-CONNECT access
Archived-At: <http://www.w3.org/mid/CAJ3HoZ05kw_0qw7wVA9+-FFiQZUE0tZoM8pTfp8XsP_sMKX-3w@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/18804
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On 16 July 2013 22:07, Nicolas Mailhot <nicolas.mailhot@laposte.net> wrote:
>
> Le Mar 16 juillet 2013 11:52, Robert Collins a écrit :
>
>>> 2. how do you send auth from the client to the proxy in a secure way
>>> without it leaking them outside?
>>
>> I think you mean 'If the origin is an HTTPS origin which uses
>> replayable (e.g. basic) auth, how do you prevent that leaking [vs e.g.
>> how do you authenticate to the proxy itself].
>
> No, I really meant "how do you prevent web site auth leaking proxy-side,
> and proxy auth leaking web site-side, without assuming one of those auths
> is worthless and can be shared or exposed non-encrypted in the name of
> cutting corners". And that in a world where the only auth most web clients
> will use reliably is basic auth.

If a proxy forwards Proxy-Auth headers on it is either a deliberate
strategy for working in a proxy hierarchy, or buggy as hell :). So I'm
not worried about proxy auth leaking web site-side, it's a non-problem
(or a problem already present in the use of proxies, so unrelated to
the use of proxies to obtain https entities.

The web site auth leaking proxy-side aspect I answered in my prior email.

As for dealing with broken web clients - sure, that is a real concern,
but I have no ideas beyond good specs, and filing bugs/not using bad
clients.

-Rob

v2.30.2 | Report a Bug | By Email | System Status