ATIS Open Web Alliance. Jim McEachern Senior Technology Consultant ATIS 3 June 2014. Agenda. Welcome & Call to Order Introductions High-Level Workplan Use Cases & Use Case Analysis Open Service Optimization Proxy Next Steps & Future Meetings Adjournment. New OWA Members.
ATIS Procedure Notice: ATIS Forum and Committee activities must adhere to the ATIS Operating Procedures (including basic principles such as fairness, due process, respect for minority opinions, and common sense).
IPR Notice: In connection with the development of an American National Standard, or other deliverable that requires use of patented inventions, the use of patented inventions shall be governed by the ANSI Patent Policy as adopted by ATIS and as set forth in Section 10 of the "Operating Procedures for ATIS Forums and Committees." Under this policy:
Antitrust Risk Notice: The leaders further remind attendees that participation in industry fora involves the potential for antitrust concerns or risks. To avoid such concerns and risks, participants should carefully observe the "Operating Procedures for ATIS Forums and Committees". In addition, sensitive discussion topics such as price, territories, specific contractual terms, etc., should be avoided.
Questions: Participants having questions, comments, or concerns regarding any of these topics should consult with their company's legal counsel, the Committee leadership, ATIS staff, or ATIS legal counsel.
Alex's employer gives him a laptop computer, and when it's connected to their network, it should automatically use their proxy. Because the laptop is owned by his employer, they've installed a CA in its trust store, so that they can intercept traffic from it (as per his terms of employment).
It would be nice if Alex were reminded that this was happening while he was browsing the Web, but really he should know this anyway.
Also, Alex's browser would like some indication of the quality of encryption on the "other side" of the proxy.
Bobbie-Sue's employer allows her to use her own devices (laptop and phone) at work. However, to access some company assets, she needs to install a CA in her device trust store(s).
Bobbie-Sue trusts her employer, but doesn't want to let them intercept traffic to other sites; she should be able to either limit the ability of the CA to her company's sites, not allow it to be used for interception at all, or detect when it's in use for interception.
Charlie runs a coffee shop that provides Wifi to its customers. Before they use the network, however, he needs to show them a "terms and conditions" page, and perhaps get login details from them.
Charlie doesn't want to intercept his customers' traffic after that, but he does need a way to show them the network login page, even when the browser tries to go to a HTTPS site.
Darlene is an executive at a mobile provider, and is responsible for building out their network. If Darlene's customers use too much bandwidth, she needs to deploy very expensive cell towers to provide capacity, which in turn means she needs to raise prices, potentially making her company less competitive.
Therefore, Darlene has a strong incentive to save bandwidth or downgrade QoS for a category of traffic. By intercepting Web traffic, she can increase the capacity and responsiveness of her network by transcoding or downgrading QoS for content -- e.g., images and especially videos -- often (but not always) without the end user noticing (since they tend to be using smaller screens than the original video was intended).
While Darlene used to apply these optimisations across the board, recently she has been using products that adapt to load and "hot spots" in her network, so that she only optimises when necessary.
Eliot lives in a remote village where Internet connectivity is quite poor, both in terms of bandwidth and latency. His co-villagers spend a lot of time browsing the Web, and so would benefit from a shared caching proxy.
More encryption of HTTP makes it difficult for the village to deploy a proxy; while CDNs help "big" sites, it doesn't help the rest of their Web traffic, and doesn't even help the "big" sites unless the CDN has a node deployed on their side of the bottleneck.
Francine's computer has a virus scanner that needs to inspect all traffic -- encrypted or not -- as it goes by, and potentially modify responses ("cleaning" them), or rejecting them outright.
The virus scanner achieves this currently by inserting a CA into Francine's trust store and performing TLS MITM on it.
Grant uses a proxy to debug his application, and needs "raw" access to the data stream. Like Francine, he can achieve this by inserting a CA into his trust store and MITM'ing the stream, but this is cumbersome.
Henrietta runs an educational institution inside a house of incarceration (since they share so many attributes). While her student inmates are allowed to surf the Web, they are not allowed to access prohibited resources -- indicated by URL as well as content.
As a result, Henrietta needs to see all traffic that goes by.
Ian is an executive in a fictional ethical banking institution. He needs to ensure that his employees are complying with various legal requirements as they use the Web. In particular, he wants to assure that proprietary and sensitive information is not leaving via upload forms, etc.
As a result, he needs access to all outgoing content.
Jane has a new Internet of Things device of some sort in her house, but she also has an access gateway that proxies all HTTP to the outside world. As such, she needs to easily configure it to use the proxy.
Kirk's kids use all kinds of internet-connected devices in his family home, such as laptops, desktops and phones. He wants to maintain a proxy that limits access to certain Web sites from any of these devices attached to his home network to keep his kids on the safer side of the Web.
Liam runs a Mobile Identity Proxy in a Mobile Network and needs to add the real/anonymous mobile identity of the user as HTTP header, to facilitate the seamless authentication of the user by the service provider.
Mike manages a very popular Rock music web site based on individual subscription and per month fee. To develop his business he partnered with a mobile operator who wants to provide rock music as bonus to his premium data subscribers. Alice is fond of Rock music. Thanks to her premium data subscription plan, Alice has an unlimited access to a Rock music web site. Thanks to service augmentation, Alice has seamless access to its favorite streaming music. Alice loves this seamless approach which protects her privacy and avoids the need to remember yet another login and password couple.
Nancy's kids use mobile devices such as phones and tablets outside home. Nancy wants to sign up those devices with mobile operator's parental control service which is set up through a proxy to limit access from those devices to certain web sites to keep her kids browsing safely, and also limit certain contents like video streaming when close to the data plan quota in order to keep the data usage under control and no surprise bill.
Oscar runs an on-site education testing and professional certification company. His clients are students that need to take the online tests like TOEFEL, SAT as well as individuals required by their profession to getting/renewing their certification. Due to the nature of the business and in order to prevent cheating, Oscar has restricted access to only the online sites offering the tests during the testing hours. In order to maintain his credibility with the certification organizations he needs to make sure that employees authenticate, and their access to the testing sites is monitored for audit purposes.
Peter owns a flower delivery company and he just started taking orders online. He got feedback that while some of his customers are frequently ordering from their mobile phones, others call in because they don’t want to pay for the data. In order to grow the business and reduce costs associated with the dedicated phone order representatives, he partnered with several mobile operators to cover and pay for the data usage associated with his customers’ access to his website.
Quincy runs a successful business allowing his customers to download movies for rent or to buy. His customers are increasingly using their smartphones to view the movies on the go but a common complaint was that with the increased size of the downloads they had no way to intuitively determine if they reached their data plan limits and incurred significant overcharges. Quincy had partnered with several mobile operators and his developers are able to receive in real-time (in a form of a custom header) the remaining data value for the current billing cycle. With this enhancement, Quincy was able to pre-emptively and accurately notify his customers when they were close to reaching their limits without the need for his users to disclose their phone numbers, and therefore minimize the information he collected from them.
Rick provides high-bandwidth Wifi in-flight via a satellite network. The high latency of satellite means that HTTP prefetching, caching, and compression are needed to provide the snappy web performance that users have come to expect from broadband networks. Like Darlene, Rick also wants to save bandwidth usage via caching and compression. Rick's users are airline travelers who will temporarily opt-in to trust the proxy and/or only trust the proxy for specific sites.
Bob and Alice are two university students in a developing country. The university forward proxy has a large cache and a limited international connection in order to reduce its network bill. Bob and Alice study network and IT. The students of their section frequently download the same RFCs from the IETF site. In practice, when the proxy downloads a file from the IETF, it saves the document for two weeks in its cache as far as there is available storage. Students are very happy with this situation as they access the documents very quickly.
Tom lives far enough from town that Telcos are not able to make the economics work to lay wire to his home. He therefore relies on satellite for his broadband Internet. The high latency of satellite means that HTTP prefetching, caching, and compression are needed to provide the snappy web performance Tom's friends get in town. Tom is willing to trust his service provider to decrypt his HTTPS traffic for most sites in exchange for page load time acceleration but would also like the ability to disable this decryption for activities like online banking.
Ulrich is keeping up a collection of proxy servers to help internet users in Elbonia bypass internet censorship in their country. The proxies are set up in jurisdictions outside the censorship regime and control of Elbonian authorities. To thwart deep packet inspection, all connections between the clients and the proxy look to an on-the-wire observer like opaque TLS-encrypted HTTP connections with no discernible features to detect proxy usage. To save network traffic and reduce possibility of detection, the proxies only serve resources that are actually banned, the rest to be retrieved directly by the clients. To this end, proxy auto-configuration scripts are provided for the clients allowing selective proxy usage. "HTTPS" PAC directive could be used as currently implemented by Chrome.
Use case analysis would consider:
Soliciting Volunteers to Participate in Use Case Analysis