On Thursday, January 4, 2024 at 12:18:25 PM UTC-5 João Paiva wrote:
We are observing that this change is breaking traffic going through middleboxes when the upstreams have misconfigured TLS. The main problem is that from the moment a middlebox completes the TLS handshake of the HTTPS-upgraded connection, the fallback cannot be triggered. Although the blog post [link <https://blog.chromium.org/2023/08/towards-https-by-default.html>] and the explainer [link <http://main>] suggest using a 404 response or a specific header from the upstream to trigger the fallback, neither of these options seem to be available in Chrome. Consequently, enterprise proxies need to advise admins to disable the automatic upgrades feature for their users to avoid breaking some traffic. This is a bad outcome both in terms of security and configuration complexity. Ideally we’d like all users to keep this feature enabled, but have it work when middleboxes are involved and the upstream is faulty. Another critical aspect here is that sometimes middleboxes terminate TLS with the eyeball before contacting the upstream. This can happen for security or performance reasons, to improve UX, or to provide other features. Previously this was acceptable as the middlebox could return an HTML error page if the connection failed. With the introduction of this feature, instead users are unable to access the upstream, only seeing an error message from the middlebox. If Chrome were to support the opt-out header as outlined in the explainer linked above, middleboxes could return it when upstreams turn out to be unreachable. Alternatively, following the recommendation on this comment [ link <https://github.com/w3ctag/design-reviews/issues/853#issuecomment-1622149334>], if Chrome sent a header identifying the current request as being triggered by the automatic upgrade flow, then middleboxes would be able to redirect to HTTP in these situations. Notice this can’t be done in the general case, since the middlebox might be redirecting the user to a site they didn’t request. We believe implementing these changes would greatly enhance compatibility with middleboxes and improve the overall user experience,so we appreciate your attention to this matter and eagerly await your feedback This proposal should be withdrawn, as Alphabet/Google/Chrome, didn't/has not implement the standard proposal they introduced. -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/7b6fc3ed-70aa-4029-8584-2a8eb1107dc2n%40chromium.org.
