Re: [Int-area] New version of WPADNG
David Schinazi <dschinazi.ietf@gmail.com> Tue, 09 July 2024 21:56 UTC
Received: by ietfa.amsl.com (Postfix) id E668FC151997; Tue, 9 Jul 2024 14:56:24 -0700 (PDT)
Delivered-To: ietfarch-httpbisa-archive-bis2juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E5220C14F712 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 9 Jul 2024 14:56:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.856
X-Spam-Level:
X-Spam-Status: No, score=-7.856 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=w3.org header.b="X1K5xtJG"; dkim=pass (2048-bit key) header.d=w3.org header.b="pH9hjFnn"; dkim=pass (2048-bit key) header.d=gmail.com header.b="egTEEBtl"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vLaGtkqgjfyP for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 9 Jul 2024 14:56:21 -0700 (PDT)
Received: from mab.w3.org (mab.w3.org [IPv6:2600:1f18:7d7a:2700:d091:4b25:8566:8113]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F0101C1519A8 for <httpbisa-archive-bis2Juki@ietf.org>; Tue, 9 Jul 2024 14:56:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=w3.org; s=s1; h=Subject:Content-Type:Cc:To:Message-ID:Date:From:In-Reply-To: References:MIME-Version:Reply-To; bh=pS4y09YyfNYqF7xD149P2G2rNnhPg3/vP4QH/d8duLw=; b=X1K5xtJG9J86BfNpURymxbjDHu nW93L2HkPXhDTneIFhYc+j8OqyQbhiLKJQCSMWuHhJegYhp9mhy3gG0i8keCPW+tJ+UVZqJaftVLY vj+6Myh3oqKCu0Cz8ZtdphuurXXnudOZ5/hofj8Letu/3xtV2IGGg30IlugUkaLG926aKfaz33Zri 4Z8XI46IGbBIf1+7wPpu7aARqLUV4opbOEz9PCwhtxsRjlvtSlZPoGGFVbWYO7B9yv9rBdS2T2ci5 kVyH6/VAe3228JyvWCWxoEt2CHlIRJOKvN8QelrDX3cOYZb6zU0jeqMtDrM/x6UYLcAzpM16MP894 w71cwn6g==;
Received: from lists by mab.w3.org with local (Exim 4.96) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1sRIo2-00ENqr-1y for ietf-http-wg-dist@listhub.w3.org; Tue, 09 Jul 2024 21:55:26 +0000
Resent-Date: Tue, 09 Jul 2024 21:55:26 +0000
Resent-Message-Id: <E1sRIo2-00ENqr-1y@mab.w3.org>
Received: from ip-10-0-0-144.ec2.internal ([10.0.0.144] helo=pan.w3.org) by mab.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from <dschinazi.ietf@gmail.com>) id 1sRIo0-00ENpw-2u for ietf-http-wg@listhub.w3.internal; Tue, 09 Jul 2024 21:55:24 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=w3.org; s=s1; h=Content-Type:Cc:To:Subject:Message-ID:Date:From:In-Reply-To: References:MIME-Version:Reply-To; bh=pS4y09YyfNYqF7xD149P2G2rNnhPg3/vP4QH/d8duLw=; t=1720562124; x=1721426124; b=pH9hjFnnup//D3EDzmEdB9PgRcIkY9ydwh8d+nBOyD0R6ZjVvgmpiVlKft9XBIjSwOpJXUmNKq+ UmTA9zvIjLMdcQyurrOn9urQDMa4xxPi1VAQ/vrwq2CdUTiuHSW2l1rRim/gQiie1py74pi3zFZQK 0FOa6CbQBaYVJNHroO1mCYUtmftVmK+MzlmsCllbSBk6wILBOQBtYYDb6iQh4Uv0qJiUkPVygf/er Me9pTQ2jSkW+l1Gc9Ei6+Jyg8Q4UCYlbWyvM5bS6udyqy2VtgvkYmkyAdf5Yd0BzRaYmpn/LCCfnE 0k3ftY/bODZ4BxkeeY3eUkXTXQD9NAK1S4Yw==;
Received-SPF: pass (pan.w3.org: domain of gmail.com designates 2a00:1450:4864:20::52e as permitted sender) client-ip=2a00:1450:4864:20::52e; envelope-from=dschinazi.ietf@gmail.com; helo=mail-ed1-x52e.google.com;
Received: from mail-ed1-x52e.google.com ([2a00:1450:4864:20::52e]) by pan.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from <dschinazi.ietf@gmail.com>) id 1sRIo0-006jPt-0Z for ietf-http-wg@w3.org; Tue, 09 Jul 2024 21:55:24 +0000
Received: by mail-ed1-x52e.google.com with SMTP id 4fb4d7f45d1cf-58ba3e38027so6944861a12.1 for <ietf-http-wg@w3.org>; Tue, 09 Jul 2024 14:55:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1720562120; x=1721166920; darn=w3.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=pS4y09YyfNYqF7xD149P2G2rNnhPg3/vP4QH/d8duLw=; b=egTEEBtlaKSHfIv4RhureVAh4dRcxlmp/cDMepMIQv0wWRDmoW6FAOb+BR5JbGP1t0 xpaaXYiLtpMmuAFHTHxXGV+rx2NbfssgXc4/Kluh+7rznb+Xno1Q+eNbI0mcMWU1MPxo UfWDHasnDIoQ7saJCCUv3WeldoRb89RSU78X45xeb5Qt1y9J6n8qubSFB+XAtpmap+Ls /Tq9CIGeziE9NsKQM8WaWj3Mrz6Bw9oMVY7FXeQtoLBslOm1pSbby8XRxTHjFSngXrCK lYAK+S/CLilLPM+cvUSzDIHVgsp53ADU/6QnhknDKv7Zqtlz7fzBb9+FB4oypM4mMWoI 0cXw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1720562120; x=1721166920; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=pS4y09YyfNYqF7xD149P2G2rNnhPg3/vP4QH/d8duLw=; b=Pv8P0CUAig8blxuiXNYXGeiHf+50J6//jl/HZxVBfhjvB4/r8jsB04C84MdJHtmAQ7 SFqT4Xp3zVCCwxSO+jN8Q1Gub3+NYON9P7mYIrjigYbGCn7fgMwBAIeVVOoghZu3usnz Y3jTp4WkoyFC0bI5OQb5D7ELSoJyxVBHBysgoN23DNmlggg5ppgEvH3EENtCfbIv5GG0 3Q21MH0fB2In9XGXbvibZ82L/tQHLFRcu5G65/w4LJ8KZWYQt5Pe0dlXn0mdZffVaC0H blGdNGypT7iEUBo5Y69ygPHH72ly5ywbp3WNKZnFcvIueJKKSSwhHLsoSF09SNFXPfEv vwiA==
X-Forwarded-Encrypted: i=1; AJvYcCX0s+aqUfayU22sO1ojRynmvde52JSwWF6TrHE1QnFClspuL+N5dB/f3WzA2qz44gbF3l+oB43ZdLF7TbV65lOj+GhX
X-Gm-Message-State: AOJu0YxNgA/Amj86RBb5QISlTfRUKlWdbISnetsglENAuQKTSj/j6lLk gvQAaEaXUVPCBJiRI5IZ1UxhuSUagqcntLd++P4CtADALAHccijGrguklXsOotAQ6TKITNLFnHb fa0TWo2NZ1fZaCYiKdXs0WWvpd+qQeNxM
X-Google-Smtp-Source: AGHT+IFpfnkJgPsjPrkue20z8mwjf41wWWdMXbicszb/c24qobDgxTlp+qEki9lXW0H59nC7vWA714PMG23WaTXreFw=
X-Received: by 2002:a17:906:c154:b0:a72:455f:e8b with SMTP id a640c23a62f3a-a780b5057b4mr353981866b.0.1720562119940; Tue, 09 Jul 2024 14:55:19 -0700 (PDT)
MIME-Version: 1.0
References: <CAF3KT4QFxgNK=kLw_jZ06B85-3sUXqHmHQK03i-jWOZS-jCszw@mail.gmail.com>
In-Reply-To: <CAF3KT4QFxgNK=kLw_jZ06B85-3sUXqHmHQK03i-jWOZS-jCszw@mail.gmail.com>
From: David Schinazi <dschinazi.ietf@gmail.com>
Date: Tue, 09 Jul 2024 14:55:08 -0700
Message-ID: <CAPDSy+6ranR-120OMGzOGELLA=r2BxJdqLFmTXWqCA6-wm2uoQ@mail.gmail.com>
To: Josh Cohen <joshco@gmail.com>
Cc: int-area@ietf.org, ietf-http-wg@w3.org
Content-Type: multipart/alternative; boundary="000000000000f9253f061cd79532"
X-W3C-Hub-DKIM-Status: validation passed: (address=dschinazi.ietf@gmail.com domain=gmail.com), signature is good
X-W3C-Hub-Spam-Status: No, score=-6.1
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, DMARC_PASS=-0.001, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: pan.w3.org 1sRIo0-006jPt-0Z 96d4840951e1742ddebdadcda7e0ff17
X-Original-To: ietf-http-wg@w3.org
Subject: Re: [Int-area] New version of WPADNG
Archived-At: <https://www.w3.org/mid/CAPDSy+6ranR-120OMGzOGELLA=r2BxJdqLFmTXWqCA6-wm2uoQ@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/52065
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/email/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Hi Josh, I agree with you that the world has changed a lot since WPAD was defined in 1997. The Web has changed, and the use of proxies has changed with it. Now that HTTPS is ubiquitous, transparent caching proxies are pretty much extinct and proxies are mainly used for either filtering or privacy benefits. In both of those scenarios, there exists a trust relationship between the client device and the proxy service. And that relationship is used to configure proxy settings: modern browsers and operating systems offer enterprise controls that allow an administrator to configure a proxy on their entire fleet without requiring any automatic discovery. Similarly, privacy proxies are configured by the privacy service that runs on the client devices. There isn't much of a need for automatic discovery. And such discovery causes harm: we've seen time and time again how attackers were able to leverage WPAD to gain access to confidential data. Because of these two combined factors, many browsers and operating systems have disabled WPAD by default. Your WPADNG proposal addresses neither of these factors, and doesn't change the fact that WPAD is unsafe and no longer needed. At this point in time, I think we can pour one out for WPAD, declare that its time has passed, thank it for its service, and move on. Cheers, David On Mon, Jul 8, 2024 at 5:35 PM Josh Cohen <joshco@gmail.com> wrote: > Greetings, > > > > I've submitted a new draft of Web Proxy Automatic Discovery Next > Generation (WPADNG) > > https://www.ietf.org/archive/id/draft-joshco-wpadng-01.html > > > > *Changes:* > > > I've removed the old DNS A TXT, SRV discovery mechanisms > > > > The current discovery mechanisms are DHCP (v4/v6), and DNSSD. > > > > In terms of priority it is DHCP then DNSSD. > > > > For DNSSD the key is new _wpadng._tcp.example.com. DNS "devolution" > remains, eg: first "dev.example.com" then "example.com" > > > > I've added the use of a URN for the proxy config URI to indicate "there is > no proxy and stop discovery" to prevent discovery of rogue proxies. > > > > *I'm seeking feedback on the following:* > > > > Is the priority of DHCP, DNSSD best? > > > For DNSSD, is domain devolution common practice? Eg, eg: first " > dev.example.com" then "example.com". If not, what are other common > practices to deal with subdomain scenarios? > > > For DNSSD and DHCPv6, we can include more than just a URL, since we have > key/value pairs in DNSSD and from my read, it looks like there is room to > do the same for DHCPv6. Is there other information the client should know > that we should add? > > > > Are there other URNs that we should add? > > > > -- > > --- > *Josh Co*hen > > _______________________________________________ > Int-area mailing list -- int-area@ietf.org > To unsubscribe send an email to int-area-leave@ietf.org >
- New version of WPADNG Josh Cohen
- Re: [Int-area] New version of WPADNG David Schinazi
- Re: [Int-area] New version of WPADNG Josh Cohen
- Re: [Int-area] New version of WPADNG Watson Ladd
- Re: [Int-area] New version of WPADNG Josh Cohen
- Re: [Int-area] New version of WPADNG Tommy Pauly
- Re: [Int-area] New version of WPADNG Watson Ladd
- Re: [Int-area] New version of WPADNG Josh Cohen
- Re: [Int-area] New version of WPADNG Josh Cohen
- Re: [Int-area] New version of WPADNG Ben Schwartz