Date: Tue, 29 Nov 1994 12:38:42 +0100
Message-Id: <199411291136.DAA28125@netcom2.netcom.com>
From: szabo@netcom.com (Nick Szabo)
To: Multiple recipients of list <www-proxy@www0.cern.ch>
Subject: Re: Carrying originating client details through proxy servers
Mark Eldridge:
> Are there any plans for proxying http servers to carry the originating
> client detail through to the intended http server?...
> Would there be security implications?
There are privacy implications, for those who like to use the proxy
servers to browse the web without getting dossiers collected on their
browsing habits. For example, I had fun earlier this year
doing competitive intelligence using CommerceNet's web server log,
which unnannounced (and perhaps unintended) they made publicallly
available. Perhaps not all these organizations wanted it known how
heavily they were interested in Internet commerce at that time.
There are a wide variety of other important reasons customers might
need privacy, with or without the cooperation of the server. Some
Internet payments systems require the customer giving up their privacy,
but others, notably DigiCash's ECash, do not, nor need browsing require
surrender of client detail.
Counting on the proxy server to supply the correct origin for any
security related purpose (such as payment) sounds like a bad idea to
me. Supplying origin client address for cache optimization sounds fine
as long as the user has the option to turn it off. Are there any objections
to putting this originating client detail forwarding under the control of
the originating client?
Nick Szabo szabo@netcom.com