HTTPS-everywhere vs. proxy caching
rlb at ipv.sx
Fri May 3 19:58:00 UTC 2013
On Fri, May 3, 2013 at 3:33 PM, Wes Felter <wmf at felter.org> wrote:
> On 5/3/13 2:06 PM, Jay Ashworth wrote:
>> It occurs to me that I don't believe I've seen any discussion of the
>> Unexpected Consequence of pervasive HTTPS replacing HTTP for
>> sessions, like non-logged-in users browsing sites like Wikipedia.
>> That traffic's not cacheable, is it?
> This has been discussed over the last year in the IETF HTTP WG in the
> context of SPDY and HTTP 2.0. Today this traffic is not cacheable. Some
> people are proposing to have a mode that is end-to-end secure and shows the
> lock icon in the browser and a different mode that uses SSL to the cache
> and SSL from the cache to the origin and doesn't show a lock.
> For networks that have traffic inspection "requirements" (e.g.
> education/enterprise) there has also been discussion about a signaling
> protocol for the network to indicate to browsers that all non-proxied
> traffic will be dropped. Transparent proxies are evil and one of the goals
> of HTTP 2.0 is to make proxies visible to the browser/user so they can
> choose whether to consent to having their traffic proxied.
> Wes Felter
Thanks for the summary, Wes.
If operators have thoughts on this issue, there is still discussion going
on about HTTP/2.0. As Wes notes, HTTP/2.0 is going to have a strong
emphasis on TLS, as with SPDY. Please send comments to the WG mailing
More information about the NANOG