Ignore:
Timestamp:
Jul 8, 2012, 6:54:55 PM (7 years ago)
Author:
fielding@…
Message:

we know they exist, so reword section on lower-level network intermediaries

File:
1 edited

Legend:

Unmodified
Added
Removed
  • draft-ietf-httpbis/latest/p1-messaging.html

    r1742 r1744  
    915915         when transport-layer security is used to establish private communication through a shared firewall proxy.
    916916      </p>
    917       <p id="rfc.section.2.3.p.10"><span id="rfc.iref.i.3"></span><span id="rfc.iref.t.3"></span>  <span id="rfc.iref.c.3"></span> In addition, there might exist network intermediaries that are not considered part of the HTTP communication but nevertheless
    918          act as filters or redirecting agents (usually violating HTTP semantics, causing security problems, and otherwise making a
    919          mess of things). Such a network intermediary, often referred to as an "<dfn>interception proxy</dfn>" <a href="#RFC3040" id="rfc.xref.RFC3040.1"><cite title="Internet Web Replication and Caching Taxonomy">[RFC3040]</cite></a>, "<dfn>transparent proxy</dfn>" <a href="#RFC1919" id="rfc.xref.RFC1919.1"><cite title="Classical versus Transparent IP Proxies">[RFC1919]</cite></a>, or "<dfn>captive portal</dfn>", differs from an HTTP proxy because it has not been selected by the client. Instead, the network intermediary redirects
    920          outgoing TCP port 80 packets (and occasionally other common port traffic) to an internal HTTP server. Interception proxies
    921          are commonly found on public network access points, as a means of enforcing account subscription prior to allowing use of
    922          non-local Internet services, and within corporate firewalls to enforce network usage policies. They are indistinguishable
    923          from a man-in-the-middle attack.
     917      <p id="rfc.section.2.3.p.10"><span id="rfc.iref.i.3"></span>  <span id="rfc.iref.t.3"></span>  <span id="rfc.iref.c.3"></span> The above categories for intermediary only consider those acting as participants in the HTTP communication. There are also
     918         intermediaries that can act on lower layers of the network protocol stack, filtering or redirecting HTTP traffic without the
     919         knowledge or permission of message senders. Network intermediaries often introduce security flaws or interoperability problems
     920         by violating HTTP semantics. For example, an "<dfn>interception proxy</dfn>" <a href="#RFC3040" id="rfc.xref.RFC3040.1"><cite title="Internet Web Replication and Caching Taxonomy">[RFC3040]</cite></a> (also commonly known as a "<dfn>transparent proxy</dfn>" <a href="#RFC1919" id="rfc.xref.RFC1919.1"><cite title="Classical versus Transparent IP Proxies">[RFC1919]</cite></a> or "<dfn>captive portal</dfn>") differs from an HTTP proxy because it is not selected by the client. Instead, an interception proxy filters or redirects
     921         outgoing TCP port 80 packets (and occasionally other common port traffic). Interception proxies are commonly found on public
     922         network access points, as a means of enforcing account subscription prior to allowing use of non-local Internet services,
     923         and within corporate firewalls to enforce network usage policies. They are indistinguishable from a man-in-the-middle attack.
    924924      </p>
    925925      <p id="rfc.section.2.3.p.11">HTTP is defined as a stateless protocol, meaning that each request message can be understood in isolation. Many implementations
Note: See TracChangeset for help on using the changeset viewer.