Re: The future of forward proxy servers in an http/2 over TLS world

Ryan Hamilton <rch@google.com> Thu, 16 February 2017 21:55 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E85E7129661 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 16 Feb 2017 13:55:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.001
X-Spam-Level:
X-Spam-Status: No, score=-7.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RPB0g0mosQzI for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 16 Feb 2017 13:55:45 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A87191294A5 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Thu, 16 Feb 2017 13:55:45 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1ceTzE-0004Lz-Az for ietf-http-wg-dist@listhub.w3.org; Thu, 16 Feb 2017 21:53:12 +0000
Resent-Date: Thu, 16 Feb 2017 21:53:12 +0000
Resent-Message-Id: <E1ceTzE-0004Lz-Az@frink.w3.org>
Received: from mimas.w3.org ([128.30.52.79]) by frink.w3.org with esmtps (TLS1.2:RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <rch@google.com>) id 1ceTz8-0004Ky-61 for ietf-http-wg@listhub.w3.org; Thu, 16 Feb 2017 21:53:06 +0000
Received: from mail-wm0-f48.google.com ([74.125.82.48]) by mimas.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from <rch@google.com>) id 1ceTz1-0001j3-FW for ietf-http-wg@w3.org; Thu, 16 Feb 2017 21:53:00 +0000
Received: by mail-wm0-f48.google.com with SMTP id v186so76703774wmd.0 for <ietf-http-wg@w3.org>; Thu, 16 Feb 2017 13:52:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=DQCK/Ubo5iv16zroQlYww0G5HuinHW2SAes8PAms7yw=; b=FaDYIhyTQ69ZBt/Y7fH8JrtxWm+FwKyVJMw5e6hfW/ZhtarewN+kiysHay8kxJlCf4 hcbJTcjoixTBVftgh8k+a690xEHCitFis5LUhiTcVv5Bc0SWbhVgjxeF1F2LGtFuimr3 08sGD9kN29ZDyYmIc7Taome6FA0denrgAYZ/nnIuXRN+lY7sBc2ZFw807dNyjLN0i+fM bMox0LbsKblVEcHUxeKVgMEv8bAops17jqbDW9v4FXrgXzY0pPzRnALum5tOLCwBBQGb JskNM66bBD4/gD8cGI9lqeRQAAimtLUZzEV5ZTIM1kluyXnVq6l3TdbXJonD/HWSs1y1 mwyg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=DQCK/Ubo5iv16zroQlYww0G5HuinHW2SAes8PAms7yw=; b=DxZZtu8tCw/bCUe284q+a15ZoxkjcTotli3yk43Gt1MTnU4eOsn3naWL5k1GWW4KaG fls+N63HGMSkUoCYtEaATJUP7OsgbwRzg3PAhMcn6MCx8uW3zkrQxpIa5csPfSKYp59k 3E5m5IeObm344uakFFqSsuZYotn0FgOz3VI5yRj0RB/liV3ikdhekbiYz6SaUSTGaHdy /RdYPxOoc4lhT2RQfJpkv+SK1E/Yw8qA75ODuNhnCZIwLCaCYJsXIj49O53pPKruHkDt S9hnqK3Q22ESxUY6I0XDKMxEBzIr7uJUE4kn2sMLVZqORqSB3NaZMW7kSHT/cZTcBJIr 8ncg==
X-Gm-Message-State: AMke39njsTC0qJOMQM35QcJJLpYWka5h6KFh8OsnB87jJBnS8McdVRFLQSz+2/d7yMVqwxOCFTaysddk6Pdh+L4o
X-Received: by 10.28.128.205 with SMTP id b196mr4142681wmd.21.1487281952349; Thu, 16 Feb 2017 13:52:32 -0800 (PST)
MIME-Version: 1.0
Received: by 10.28.154.139 with HTTP; Thu, 16 Feb 2017 13:52:31 -0800 (PST)
In-Reply-To: <em3cc9489c-e2f3-43bc-b467-234845d53cd4@bodybag>
References: <emde1bfa93-84c0-49f7-83a4-b9bed24e0276@bodybag> <CA+3+x5GV9MdYOP3gHLABe+=GVVKf7ugbMWHquuzVHGCbwY-s5w@mail.gmail.com> <6ff3c0ab-0e67-c175-194e-dbd8fbb55788@measurement-factory.com> <CA+3+x5HfMLgOyU+dONxMFi82OmC5EybrqmyVRRCi3nmw3PEJkQ@mail.gmail.com> <em3cc9489c-e2f3-43bc-b467-234845d53cd4@bodybag>
From: Ryan Hamilton <rch@google.com>
Date: Thu, 16 Feb 2017 13:52:31 -0800
Message-ID: <CAJ_4DfS2-_p7A5gEgVXKj-3i_2PJZPpEw7HRuD3V6FLbWVet_w@mail.gmail.com>
To: Adrien de Croy <adrien@qbik.com>
Cc: Tom Bergan <tombergan@chromium.org>, Alex Rousskov <rousskov@measurement-factory.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Content-Type: multipart/alternative; boundary="001a1141e66473be5d0548acd0c9"
Received-SPF: pass client-ip=74.125.82.48; envelope-from=rch@google.com; helo=mail-wm0-f48.google.com
X-W3C-Hub-Spam-Status: No, score=-2.1
X-W3C-Hub-Spam-Report: BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1ceTz1-0001j3-FW 0bf4c70e7a98c7905c92ca0fe198d194
X-Original-To: ietf-http-wg@w3.org
Subject: Re: The future of forward proxy servers in an http/2 over TLS world
Archived-At: <http://www.w3.org/mid/CAJ_4DfS2-_p7A5gEgVXKj-3i_2PJZPpEw7HRuD3V6FLbWVet_w@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/33561
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On Thu, Feb 16, 2017 at 12:35 PM, Adrien de Croy <adrien@qbik.com> wrote:

>
> Hi Tom
>
> the predominant use-cases are as follows.
>
> 1. A corporation, with many employees with computers and internet access.
> The employer doesn't want the employees spending all day on facebook,
> youtube, or other sites, unless it's the customer-support / social media
> department.
>
> 2. A school which doesn't want students surfing porn
>
> In all these cases, you have the issue of many computers, and a single
> policy.  To block in the browser requires several things, a centralised
> management of the policy, disseminated to the browserm some way of securing
> this so the users don't disable it etc.
>

Many browsers provide enterprise management functionality for exactly this
sort of use case.
​

> If on the other hand you intercept outbound connections, and force them
> through a proxy, or require use of a proxy for internet access, you can
> enforce the policy in a place that's removed from the users.
>
> Other features like a shared cache, AV scanning etc are also commonly used.
>
> Also, there are products that provide categorization of sites.  If you
> wanted to allow all sites except porn sites, and to block that in a
> browser, you would need to know what all the porn sites are.
>
> There are products that track this, but they are expensive, have a large
> resource footprint etc. You can't be running this on every endpoint.
>
> So central control is required, and this is a proxy.
>

Many enterprises go this route​ of using a proxy that mints certificates
and MITMs the connection to enforce policy.