HTTPS-everywhere vs. proxy caching

Wes Felter wmf at felter.org
Fri May 3 19:33:02 UTC 2013


On 5/3/13 2:06 PM, Jay Ashworth wrote:
> It occurs to me that I don't believe I've seen any discussion of the
> Unexpected Consequence of pervasive HTTPS replacing HTTP for unauthenticated
> sessions, like non-logged-in users browsing sites like Wikipedia.
>
> That traffic's not cacheable, is it?

This has been discussed over the last year in the IETF HTTP WG in the 
context of SPDY and HTTP 2.0. Today this traffic is not cacheable. Some 
people are proposing to have a mode that is end-to-end secure and shows 
the lock icon in the browser and a different mode that uses SSL to the 
cache and SSL from the cache to the origin and doesn't show a lock.
For networks that have traffic inspection "requirements" (e.g. 
education/enterprise) there has also been discussion about a signaling 
protocol for the network to indicate to browsers that all non-proxied 
traffic will be dropped. Transparent proxies are evil and one of the 
goals of HTTP 2.0 is to make proxies visible to the browser/user so they 
can choose whether to consent to having their traffic proxied.

-- 
Wes Felter





More information about the NANOG mailing list