Comments on Explicit/Trusted Proxy

Peter Lepeska <bizzbyster@gmail.com> Thu, 25 April 2013 20:40 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5E15321F8E76 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 25 Apr 2013 13:40:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.18
X-Spam-Level:
X-Spam-Status: No, score=-6.18 tagged_above=-999 required=5 tests=[HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=1.819, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id siiwAP9QGu7v for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 25 Apr 2013 13:40:33 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id A793B21F8808 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Thu, 25 Apr 2013 13:40:29 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1UVSwi-0003p0-Sa for ietf-http-wg-dist@listhub.w3.org; Thu, 25 Apr 2013 20:39:12 +0000
Resent-Date: Thu, 25 Apr 2013 20:39:12 +0000
Resent-Message-Id: <E1UVSwi-0003p0-Sa@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <bizzbyster@gmail.com>) id 1UVSwd-0003nu-2P for ietf-http-wg@listhub.w3.org; Thu, 25 Apr 2013 20:39:07 +0000
Received: from mail-vb0-f46.google.com ([209.85.212.46]) by lisa.w3.org with esmtps (TLS1.0:RSA_ARCFOUR_SHA1:16) (Exim 4.72) (envelope-from <bizzbyster@gmail.com>) id 1UVSwb-0002Aq-NK for ietf-http-wg@w3.org; Thu, 25 Apr 2013 20:39:07 +0000
Received: by mail-vb0-f46.google.com with SMTP id 11so3004259vbe.5 for <ietf-http-wg@w3.org>; Thu, 25 Apr 2013 13:38:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:from:content-type:message-id:mime-version:subject:date :references:to:in-reply-to:x-mailer; bh=ZUgeS9Va4jMdCPpIQZ7G5DQJsrXfTjLKRZn2rBOektk=; b=QLcLt7UmbqJWdqqGd6RJzS08ZopHtHVKVpAHbk94nHvLQ7zW6i6YzDqGynm4eNbgjF cbfmMmeLKopII68g5VfPs2vkg6vKUndX76gkIcpUcuAD+HkWGg1rb0c2T8JXQb5o/bfZ bSy9e7m0X2SE+s121LR+7gIFAAx13Bzx7FBo+9pR/kKa7al0QUs/rEBwXrY4LkkXJ2WI fv+WFH87eCASH51tXHPkrEj9heby0pAYyeHFrYtaXwXv9pxv/8qfj6lDdFWGzpPJqW8I JNIqdyl1l4CiXxvvD7cCYBqPbvIZayhs19TV2YYW3sVxcYy8BZONs2mODVf1q6GNAoxH AGGw==
X-Received: by 10.52.73.165 with SMTP id m5mr23852014vdv.5.1366922319875; Thu, 25 Apr 2013 13:38:39 -0700 (PDT)
Received: from [10.13.244.213] (bastion.viasat.com. [12.198.241.130]) by mx.google.com with ESMTPSA id tf2sm2421433veb.8.2013.04.25.13.38.37 for <ietf-http-wg@w3.org> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 25 Apr 2013 13:38:38 -0700 (PDT)
From: Peter Lepeska <bizzbyster@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_5A3AF1B6-16E0-4D39-87D8-A0DB0E1EF69D"
Message-Id: <896F1026-30C6-4397-B265-67285BFA9DDA@gmail.com>
Mime-Version: 1.0 (Mac OS X Mail 6.3 \(1503\))
Date: Thu, 25 Apr 2013 16:38:37 -0400
References: <14A09626-8397-4656-A042-FEFDDD017C9F@mnot.net> <CANmPAYH60+wmeYQAikUd4ps3HdPQSm80TeZbMW37LioBYVj-7A@mail.gmail.com> <CAA4WUYjOPgCse6giEmy3f_MzRTC3K25oAWeAavHnzywc5pL91w@mail.gmail.com> <CANmPAYGr8QDhmLR50UzWYWK_fNYzGbF_P9EN0dOadmL-wQy61g@mail.gmail.com> <CAA4WUYjDoRFwPJNWzRqQHdBbV+DjF0mv8OO4RWTBSmh6=Dcnxw@mail.gmail.com> <CANmPAYEirEfpM6kEuxaM3OF7hsjWu8_Lr0aWfQ+btkEGOH3Vsw@mail.gmail.com> <CAA4WUYjGaZRVm3NtmT5qO3j7QKNZZiX7zBEV-pDhK0VGGSxuUg@mail.gmail.com>
To: HTTP Working Group <ietf-http-wg@w3.org>
In-Reply-To: <CAA4WUYjGaZRVm3NtmT5qO3j7QKNZZiX7zBEV-pDhK0VGGSxuUg@mail.gmail.com>
X-Mailer: Apple Mail (2.1503)
Received-SPF: pass client-ip=209.85.212.46; envelope-from=bizzbyster@gmail.com; helo=mail-vb0-f46.google.com
X-W3C-Hub-Spam-Status: No, score=-2.2
X-W3C-Hub-Spam-Report: AWL=-1.356, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001
X-W3C-Scan-Sig: lisa.w3.org 1UVSwb-0002Aq-NK 20fe5d125cc30f6e35559baa4123e0e1
X-Original-To: ietf-http-wg@w3.org
Subject: Comments on Explicit/Trusted Proxy
Archived-At: <http://www.w3.org/mid/896F1026-30C6-4397-B265-67285BFA9DDA@gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/17576
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Some comments on Roberto's doc:

  In the case where the user-agent has been configured with Chris as a
   trusted-proxy, either Anne's connect-stream MUST use either a null-
   cipher, or Anne MUST provide the decryption key material to Chris
   immediately after tunnel establishment, and before any data traverses
   the tunnel.

This seems like a showstopper to me. Even if we can get past the problems associated with a trusted proxy in general, I can't see getting acceptance of any approach that involves sending a session key from one machine to another. But why not just use two full SSL sessions like the typical MITM proxy (http://crypto.stanford.edu/ssl-mitm/ or http://mitmproxy.org) approach? But instead of forging certificates like they do, just give the trusted proxy its own certificate and then display both the trusted proxy certificate and the content server certificate in the browser when the user wants info about the two point-to-point SSL sessions.

"For the purpose of this document, it is assumed that the user locates
   a piece of paper upon a wall and reads it, typing these proxy
   settings into a configuration field for their user-agent.  This is
   obviously not the only possible configuration mechanism, but it may,
   sadly, be the most secure.  It is assumed that alternate distribution
   techniques may be discussed.
"

While explicit proxy configuration may be the most secure, it is very difficult to manage for mobile devices especially, as others have mentioned on this list. Transparent interception is the more widely adopted approach -- not because of security but because of stability and manageability. 

What about "transparent" proxies that advertise themselves? Is it possible to use NPN (https://technotes.googlecode.com/git/nextprotoneg.html) to advertise the presence of an intercepting proxy for 443 traffic? Then the user can be notified that a proxy wants to be trusted for X reasons and the user would then make the opt in or opt out decision. Then, similar to SPDY, the presence of the trusted proxy in the end-to-end path could be signaled to the end user via icons in the browser.

MITM is used today with no user knowledge. At least in this approach, a user has the ability to opt in or out and to also be aware of the presence of the intermediate proxy.

Thoughts?

Peter


On Apr 24, 2013, at 12:49 PM, William Chan (陈智昌) <willchan@chromium.org> wrote:

> Yep, but no, it hasn't gone anywhere.
> 
> 
> On Wed, Apr 24, 2013 at 7:44 AM, Peter Lepeska <bizzbyster@gmail.com> wrote:
> Hi William,
> 
> Is this draft by Roberto Peon the one you were referring to?
> 
> http://tools.ietf.org/html/draft-rpeon-httpbis-exproxy-00
> 
> Has this gone anywhere?
> 
> I'm looking to design and build a "trusted proxy" that aligns with the browser development roadmap/vision in order to provide web acceleration functionality and so would like to get involved in this process if still active.
> 
> Thanks,
> 
> Peter
> 
> 
> On Mon, Apr 30, 2012 at 5:57 PM, William Chan (陈智昌) <willchan@chromium.org> wrote:
> On the contrary, I think it's great to have multiple proposals. If you have your own vision for how this should work, please send it out! :) My statement was simply an FYI, not a "back off, we've got this!"
> 
> On Mon, Apr 30, 2012 at 2:45 PM, Peter Lepeska <bizzbyster@gmail.com> wrote:
> Perfect then I'll sit tight.
> 
> Thanks,
> 
> Peter
> 
> 
> On Mon, Apr 30, 2012 at 5:43 PM, William Chan (陈智昌) <willchan@chromium.org> wrote:
> FYI, we (google spdy team) have been discussing a "trusted proxy" internally and I think Roberto's got a draft in the works.
> 
> 
> On Mon, Apr 30, 2012 at 2:22 PM, Peter Lepeska <bizzbyster@gmail.com> wrote:
> Hi Mark,
> 
> Earlier this group discussed the idea of a "trusted proxy". Does that fall under the HTTP/2.0 category?
> 
> I may have some cycles for this.
> 
> Thanks,
> 
> Peter
> 
> 
> On Fri, Apr 27, 2012 at 1:28 AM, Mark Nottingham <mnot@mnot.net> wrote:
> Just a reminder that we're still accepting proposals for:
> 
> 1. HTTP/2.0
> 2. New HTTP authentication schemes
> 
> As per our charter <http://datatracker.ietf.org/wg/httpbis/charter/>.
> 
> So far, we've received the following proposals applicable to HTTP/2.0:
>  <http://trac.tools.ietf.org/wg/httpbis/trac/wiki/Http2Proposals>
> 
> But none yet for authentication schemes:
>  <http://trac.tools.ietf.org/wg/httpbis/trac/wiki/HttpAuthProposals>
> 
> As communicated in Paris, the deadline for proposals is 15 June, 2012. It's fine if your proposal isn't complete, but we do need to have a  good sense of it by then, for discussion.
> 
> Regards,
> 
> --
> Mark Nottingham   http://www.mnot.net/
> 
> 
> 
> 
> 
> 
> 
> 
> 
>