Ignore:
Timestamp:
Jul 8, 2012, 6:54:55 PM (7 years ago)
Author:
fielding@…
Message:

we know they exist, so reword section on lower-level network intermediaries

Location:
draft-ietf-httpbis/latest
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • draft-ietf-httpbis/latest/p1-messaging.html

    r1742 r1744  
    915915         when transport-layer security is used to establish private communication through a shared firewall proxy.
    916916      </p>
    917       <p id="rfc.section.2.3.p.10"><span id="rfc.iref.i.3"></span><span id="rfc.iref.t.3"></span>  <span id="rfc.iref.c.3"></span> In addition, there might exist network intermediaries that are not considered part of the HTTP communication but nevertheless
    918          act as filters or redirecting agents (usually violating HTTP semantics, causing security problems, and otherwise making a
    919          mess of things). Such a network intermediary, often referred to as an "<dfn>interception proxy</dfn>" <a href="#RFC3040" id="rfc.xref.RFC3040.1"><cite title="Internet Web Replication and Caching Taxonomy">[RFC3040]</cite></a>, "<dfn>transparent proxy</dfn>" <a href="#RFC1919" id="rfc.xref.RFC1919.1"><cite title="Classical versus Transparent IP Proxies">[RFC1919]</cite></a>, or "<dfn>captive portal</dfn>", differs from an HTTP proxy because it has not been selected by the client. Instead, the network intermediary redirects
    920          outgoing TCP port 80 packets (and occasionally other common port traffic) to an internal HTTP server. Interception proxies
    921          are commonly found on public network access points, as a means of enforcing account subscription prior to allowing use of
    922          non-local Internet services, and within corporate firewalls to enforce network usage policies. They are indistinguishable
    923          from a man-in-the-middle attack.
     917      <p id="rfc.section.2.3.p.10"><span id="rfc.iref.i.3"></span>  <span id="rfc.iref.t.3"></span>  <span id="rfc.iref.c.3"></span> The above categories for intermediary only consider those acting as participants in the HTTP communication. There are also
     918         intermediaries that can act on lower layers of the network protocol stack, filtering or redirecting HTTP traffic without the
     919         knowledge or permission of message senders. Network intermediaries often introduce security flaws or interoperability problems
     920         by violating HTTP semantics. For example, an "<dfn>interception proxy</dfn>" <a href="#RFC3040" id="rfc.xref.RFC3040.1"><cite title="Internet Web Replication and Caching Taxonomy">[RFC3040]</cite></a> (also commonly known as a "<dfn>transparent proxy</dfn>" <a href="#RFC1919" id="rfc.xref.RFC1919.1"><cite title="Classical versus Transparent IP Proxies">[RFC1919]</cite></a> or "<dfn>captive portal</dfn>") differs from an HTTP proxy because it is not selected by the client. Instead, an interception proxy filters or redirects
     921         outgoing TCP port 80 packets (and occasionally other common port traffic). Interception proxies are commonly found on public
     922         network access points, as a means of enforcing account subscription prior to allowing use of non-local Internet services,
     923         and within corporate firewalls to enforce network usage policies. They are indistinguishable from a man-in-the-middle attack.
    924924      </p>
    925925      <p id="rfc.section.2.3.p.11">HTTP is defined as a stateless protocol, meaning that each request message can be understood in isolation. Many implementations
  • draft-ietf-httpbis/latest/p1-messaging.xml

    r1742 r1744  
    519519   through a shared firewall proxy.
    520520</t>
    521 <t><iref primary="true" item="interception proxy"/><iref primary="true" item="transparent proxy"/>
     521<t><iref primary="true" item="interception proxy"/>
     522<iref primary="true" item="transparent proxy"/>
    522523<iref primary="true" item="captive portal"/>
    523    In addition, there might exist network intermediaries that are not
    524    considered part of the HTTP communication but nevertheless act as
    525    filters or redirecting agents (usually violating HTTP semantics,
    526    causing security problems, and otherwise making a mess of things).
    527    Such a network intermediary, often referred to as an "<x:dfn>interception proxy</x:dfn>"
    528    <xref target="RFC3040"/>, "<x:dfn>transparent proxy</x:dfn>" <xref target="RFC1919"/>,
    529    or "<x:dfn>captive portal</x:dfn>",
    530    differs from an HTTP proxy because it has not been selected by the client.
    531    Instead, the network intermediary redirects outgoing TCP port 80 packets
    532    (and occasionally other common port traffic) to an internal HTTP server.
     524   The above categories for intermediary only consider those acting as
     525   participants in the HTTP communication.  There are also intermediaries
     526   that can act on lower layers of the network protocol stack, filtering or
     527   redirecting HTTP traffic without the knowledge or permission of message
     528   senders. Network intermediaries often introduce security flaws or
     529   interoperability problems by violating HTTP semantics.  For example, an
     530   "<x:dfn>interception proxy</x:dfn>" <xref target="RFC3040"/> (also commonly
     531   known as a "<x:dfn>transparent proxy</x:dfn>" <xref target="RFC1919"/> or
     532   "<x:dfn>captive portal</x:dfn>")
     533   differs from an HTTP proxy because it is not selected by the client.
     534   Instead, an interception proxy filters or redirects outgoing TCP port 80
     535   packets (and occasionally other common port traffic).
    533536   Interception proxies are commonly found on public network access points,
    534537   as a means of enforcing account subscription prior to allowing use of
Note: See TracChangeset for help on using the changeset viewer.