Changeset 1744 for draft-ietf-httpbis/latest/p1-messaging.html

Timestamp:

09/07/12 01:54:55 (11 years ago)

Author:

fielding@…

Message:

we know they exist, so reword section on lower-level network intermediaries

File:

• draft-ietf-httpbis/latest/p1-messaging.html (modified) (1 diff)

draft-ietf-httpbis/latest/p1-messaging.html

@@ -915 +915 @@
          when transport-layer security is used to establish private communication through a shared firewall proxy.
       </p>
-      <p id="rfc.section.2.3.p.10"><span id="rfc.iref.i.3"></span><span id="rfc.iref.t.3"></span>  <span id="rfc.iref.c.3"></span> In addition, there might exist network intermediaries that are not considered part of the HTTP communication but nevertheless
-         act as filters or redirecting agents (usually violating HTTP semantics, causing security problems, and otherwise making a
-         mess of things). Such a network intermediary, often referred to as an "<dfn>interception proxy</dfn>" <a href="#RFC3040" id="rfc.xref.RFC3040.1"><cite title="Internet Web Replication and Caching Taxonomy">[RFC3040]</cite></a>, "<dfn>transparent proxy</dfn>" <a href="#RFC1919" id="rfc.xref.RFC1919.1"><cite title="Classical versus Transparent IP Proxies">[RFC1919]</cite></a>, or "<dfn>captive portal</dfn>", differs from an HTTP proxy because it has not been selected by the client. Instead, the network intermediary redirects
-         outgoing TCP port 80 packets (and occasionally other common port traffic) to an internal HTTP server. Interception proxies
-         are commonly found on public network access points, as a means of enforcing account subscription prior to allowing use of
-         non-local Internet services, and within corporate firewalls to enforce network usage policies. They are indistinguishable
-         from a man-in-the-middle attack.
+      <p id="rfc.section.2.3.p.10"><span id="rfc.iref.i.3"></span>  <span id="rfc.iref.t.3"></span>  <span id="rfc.iref.c.3"></span> The above categories for intermediary only consider those acting as participants in the HTTP communication. There are also
+         intermediaries that can act on lower layers of the network protocol stack, filtering or redirecting HTTP traffic without the
+         knowledge or permission of message senders. Network intermediaries often introduce security flaws or interoperability problems
+         by violating HTTP semantics. For example, an "<dfn>interception proxy</dfn>" <a href="#RFC3040" id="rfc.xref.RFC3040.1"><cite title="Internet Web Replication and Caching Taxonomy">[RFC3040]</cite></a> (also commonly known as a "<dfn>transparent proxy</dfn>" <a href="#RFC1919" id="rfc.xref.RFC1919.1"><cite title="Classical versus Transparent IP Proxies">[RFC1919]</cite></a> or "<dfn>captive portal</dfn>") differs from an HTTP proxy because it is not selected by the client. Instead, an interception proxy filters or redirects
+         outgoing TCP port 80 packets (and occasionally other common port traffic). Interception proxies are commonly found on public
+         network access points, as a means of enforcing account subscription prior to allowing use of non-local Internet services,
+         and within corporate firewalls to enforce network usage policies. They are indistinguishable from a man-in-the-middle attack.
       </p>
       <p id="rfc.section.2.3.p.11">HTTP is defined as a stateless protocol, meaning that each request message can be understood in isolation. Many implementations