HTTPS-everywhere vs. proxy caching
wmf at felter.org
Fri May 3 19:33:02 UTC 2013
On 5/3/13 2:06 PM, Jay Ashworth wrote:
> It occurs to me that I don't believe I've seen any discussion of the
> Unexpected Consequence of pervasive HTTPS replacing HTTP for unauthenticated
> sessions, like non-logged-in users browsing sites like Wikipedia.
> That traffic's not cacheable, is it?
This has been discussed over the last year in the IETF HTTP WG in the
context of SPDY and HTTP 2.0. Today this traffic is not cacheable. Some
people are proposing to have a mode that is end-to-end secure and shows
the lock icon in the browser and a different mode that uses SSL to the
cache and SSL from the cache to the origin and doesn't show a lock.
For networks that have traffic inspection "requirements" (e.g.
education/enterprise) there has also been discussion about a signaling
protocol for the network to indicate to browsers that all non-proxied
traffic will be dropped. Transparent proxies are evil and one of the
goals of HTTP 2.0 is to make proxies visible to the browser/user so they
can choose whether to consent to having their traffic proxied.
More information about the NANOG