Changeset 1744 for draft-ietf-httpbis/latest

Timestamp:

Jul 8, 2012, 6:54:55 PM (7 years ago)

Author:

fielding@…

Message:

we know they exist, so reword section on lower-level network intermediaries

Location:

draft-ietf-httpbis/latest

Files:

• p1-messaging.html (modified) (1 diff)
• p1-messaging.xml (modified) (1 diff)

draft-ietf-httpbis/latest/p1-messaging.html

@@ -915 +915 @@
          when transport-layer security is used to establish private communication through a shared firewall proxy.
       </p>
-      <p id="rfc.section.2.3.p.10"><span id="rfc.iref.i.3"></span><span id="rfc.iref.t.3"></span>  <span id="rfc.iref.c.3"></span> In addition, there might exist network intermediaries that are not considered part of the HTTP communication but nevertheless
-         act as filters or redirecting agents (usually violating HTTP semantics, causing security problems, and otherwise making a
-         mess of things). Such a network intermediary, often referred to as an "<dfn>interception proxy</dfn>" <a href="#RFC3040" id="rfc.xref.RFC3040.1"><cite title="Internet Web Replication and Caching Taxonomy">[RFC3040]</cite></a>, "<dfn>transparent proxy</dfn>" <a href="#RFC1919" id="rfc.xref.RFC1919.1"><cite title="Classical versus Transparent IP Proxies">[RFC1919]</cite></a>, or "<dfn>captive portal</dfn>", differs from an HTTP proxy because it has not been selected by the client. Instead, the network intermediary redirects
-         outgoing TCP port 80 packets (and occasionally other common port traffic) to an internal HTTP server. Interception proxies
-         are commonly found on public network access points, as a means of enforcing account subscription prior to allowing use of
-         non-local Internet services, and within corporate firewalls to enforce network usage policies. They are indistinguishable
-         from a man-in-the-middle attack.
+      <p id="rfc.section.2.3.p.10"><span id="rfc.iref.i.3"></span>  <span id="rfc.iref.t.3"></span>  <span id="rfc.iref.c.3"></span> The above categories for intermediary only consider those acting as participants in the HTTP communication. There are also
+         intermediaries that can act on lower layers of the network protocol stack, filtering or redirecting HTTP traffic without the
+         knowledge or permission of message senders. Network intermediaries often introduce security flaws or interoperability problems
+         by violating HTTP semantics. For example, an "<dfn>interception proxy</dfn>" <a href="#RFC3040" id="rfc.xref.RFC3040.1"><cite title="Internet Web Replication and Caching Taxonomy">[RFC3040]</cite></a> (also commonly known as a "<dfn>transparent proxy</dfn>" <a href="#RFC1919" id="rfc.xref.RFC1919.1"><cite title="Classical versus Transparent IP Proxies">[RFC1919]</cite></a> or "<dfn>captive portal</dfn>") differs from an HTTP proxy because it is not selected by the client. Instead, an interception proxy filters or redirects
+         outgoing TCP port 80 packets (and occasionally other common port traffic). Interception proxies are commonly found on public
+         network access points, as a means of enforcing account subscription prior to allowing use of non-local Internet services,
+         and within corporate firewalls to enforce network usage policies. They are indistinguishable from a man-in-the-middle attack.
       </p>
       <p id="rfc.section.2.3.p.11">HTTP is defined as a stateless protocol, meaning that each request message can be understood in isolation. Many implementations

draft-ietf-httpbis/latest/p1-messaging.xml

@@ -519 +519 @@
    through a shared firewall proxy.
 </t>
-<t><iref primary="true" item="interception proxy"/><iref primary="true" item="transparent proxy"/>
+<t><iref primary="true" item="interception proxy"/>
+<iref primary="true" item="transparent proxy"/>
 <iref primary="true" item="captive portal"/>
-   In addition, there might exist network intermediaries that are not
-   considered part of the HTTP communication but nevertheless act as
-   filters or redirecting agents (usually violating HTTP semantics,
-   causing security problems, and otherwise making a mess of things).
-   Such a network intermediary, often referred to as an "<x:dfn>interception proxy</x:dfn>"
-   <xref target="RFC3040"/>, "<x:dfn>transparent proxy</x:dfn>" <xref target="RFC1919"/>,
-   or "<x:dfn>captive portal</x:dfn>",
-   differs from an HTTP proxy because it has not been selected by the client.
-   Instead, the network intermediary redirects outgoing TCP port 80 packets
-   (and occasionally other common port traffic) to an internal HTTP server.
+   The above categories for intermediary only consider those acting as
+   participants in the HTTP communication.  There are also intermediaries
+   that can act on lower layers of the network protocol stack, filtering or
+   redirecting HTTP traffic without the knowledge or permission of message
+   senders. Network intermediaries often introduce security flaws or
+   interoperability problems by violating HTTP semantics.  For example, an
+   "<x:dfn>interception proxy</x:dfn>" <xref target="RFC3040"/> (also commonly
+   known as a "<x:dfn>transparent proxy</x:dfn>" <xref target="RFC1919"/> or
+   "<x:dfn>captive portal</x:dfn>")
+   differs from an HTTP proxy because it is not selected by the client.
+   Instead, an interception proxy filters or redirects outgoing TCP port 80
+   packets (and occasionally other common port traffic).
    Interception proxies are commonly found on public network access points,
    as a means of enforcing account subscription prior to allowing use of