Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Read the rest. You'll see that these proxies also serve as handlers for all TLS sessions.


Where does it say that?


3.1.1 TLS Handshake with Proxy certificate

When the user has given consent to the use of a proxy, the User-Agent SHOULD store this consent so that the user does not have to give consent for each new TLS connection involving the proxy. The consent SHOULD be limited to the specific access and MAY be limited to a single connection to that access or limited in time. How the consent information is stored is implementation specific, but as a network may have several proxies (for network resilience) it is RECOMMENDED that the consent is only tied to the Subject field of the proxy certificate so that the consent applies to all proxy certificates with the same name.

If the user has previously given consent to use the specific proxy and the user-agent has stored that, the user-agent may conclude that the user has given consent without asking the user again.

If the user provides consent, the User-Agent continues the TLS handshake with the proxy.

-----------

Right in the next section, it's again implied:

The proxy will then notice that the TLS connection is to be used for a https resource or for a http resource for which the user wants to opt out from the proxy. The proxy will then forward the ClientHello message to the Server and the TLS connection will be end-to-end between the user-agent and the Server.

-----------

Then in 3.2, again implied:

When the User-Agent arrives to the portal page it becomes aware of the existence of a Proxy in the access network and receives a consent request for the proxy to stay in the path for HTTP URI resources. The user-agent then SHOULD secure user consent.

When the user has given consent to the use of a proxy, both the User-Agent and the Proxy SHOULD store this consent so that the user does not have to give consent for each new TLS connection involving the proxy.


The way I'm reading the sections you've quoted, the spec merely allows proxying of https ciphertext. Every router in the internet does that already. Bear in mind that in HTTP 2.0, all connections are TLS connections. The spec sections you've quoted just say that users should only have to consent once to their "http"-resource connections being proxied; they're not talking about "https" resources.




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: