False claim in privacy section

[MattMenke2]

The privacy section claims that the server IP is available to the server. This isn't always the case. If I set up all DNS resolutions to map to a transparent (SSL-MitMing) proxy, then NEL exposes the IP of that proxy, which is PII, regardless of whether or not the proxy has a public IP address, to the NEL server.

This might be an unusual setup, but I still think it needs to be mentioned, and the claim that this information is always public needs to be corrected.

[yoavweiss]

/cc @clelland

[yoavweiss]

@MattMenke2 - it's unclear to me what's the scenario you're referring to as a "transparent proxy".
Is the proxy UA set? Is it something that the user's network automatically sends traffic to? something else?

It seems to me that for proxies that are UA set, we can (and do, IIUC) exclude them from NEL reports. But if we're talking about proxies that the network automatically sends traffic to, the client in that case is not aware of the proxy's IP, and hence can't report it.

I'm sure I'm missing something, so I'd love clarifications.

[MattMenke2]

If the browser doesn't know about it, I'd call it transparent - Chrome certainly doesn't know there's a proxy. Proxies that work at the DNS layer (unusual, since they require an SSL-decrypting proxy, and certs installed on the client to allow that) don't require Chrome to know about them.

Chrome isn't aware of the proxy's IP, but it's aware of its own IP, and (I assume - it's been 4 years since I made that comment) sending something to the server that the server would not otherwise get.

[MattMenke2]

Sorry, Chrome is giving the server IP to the server, I think? If there's a proxy that works at the DNS layer, then Chrome would be giving the proxy's IP to the server, not the server's IP. Chrome knows the proxy IP because Chrome uses DNS to look up IPs, and DNS would be returning the "transparent" proxy's IP, not the server's.

[clelland]

I agree with @yoavweiss that we should exclude server_ip if the UA knows that a proxy should be used; in that case the UA knows that it is deliberately not attempting to connect directly to the origin server. I think that Chrome does this, but it should be explicit in the spec.

The most that we can do about proxies that are not visible to the client is a note in the spec, which I think was the original request.

[MattMenke2]

The issue is Chrome may not know a proxy is in use (Proxy could work at the DNS layer + locally installed certs, as opposed to being explicitly configured), in which case, providing the "server IP" is actually providing the server with the proxy IP.

[MattMenke2]

Chrome may be able to check if it's using a publicly trusted cert or not (I'm not positive of that), and just not send along the server IP if so. That would be a more restrictive check, though, since it would affect explicitly configured proxies which also decrypt SSL, using a locally installed cert. This is likely a more common configuration, used by some enterprises.