helo world.

httpa.info

TL;DR: "httpa" is the working title for "make the internet proxy-friendly again". ( httpa like "http but authentic" )

every one is afraid that his traffic is stolen/alterd/manipulated in the middle. ( to: NSA; Hi ! )
https is a solution for this. ( if done propper.. )
https is a killer for web-proxies.

currently: nearly dead, as the trend-to-https is growing.
- im not against https. i just say it not really needed in much cases. ( online-banking: yes; 27th download of jquery-latest.js (it's open-source) ? no )
also, those fancy CMS "yo, lets generate everything on the fly and mark it non-cachable" - bäh
but in the end, you ( sure, you have that 10 gbp/s fibre connected to backbone ) and the content-provider has an issue with https.
- and they pay good money for content-delivery networks.
a local proxy ( lets assume a nice machine with ssd's ) is rocket-fast.
- local proxy can be at your computer, in your (company-) network, on your ISP-level, on continent-/island-level.

most of the information is not really secure - in sence of secret.
- it must be authentic ( you might not like the jquery-latest-with-password-stealer-embedded.js ? )
so lets find a way to ensure, the downloaded data is authentic, but still cacheable.

a "httpa" link ( httpa://example.com/1gbupdatedata.zip ).
the "tool" ( browser, curl, ... ) knows how to handle the protocol.
it gets via HTTPS the meta info: ( https://example.com/1gbupdatedata.zip?httpa_metadata )
- hash_md5 = affeaffeaffeaffe
- hash_sha1 = 1234123412341234123412341234
- -> we just transfered a few bytes.
it gets the data ( http://example.com/1gbupdate.zip )
- it downloads, calculates hashes, compares to what we got before in https.
- this data can be cached in proxies; so, 2nd time it will be fast.
servers could tell about there ability to serve httpa:
- set a record in /.well-known/httpa with "v1.0" ( or something like that )

how many copies of jquery-latest.min.js you downloaded today via https ?
what about the windows-/ios-/android-updates, for each and every computer ?
also: today, "programing" is 10% glue-togther some 90% libraris, dependency-managed by a tool. ( composer, gradle, .. )
- this is not per-se bad, re-inventing-wheels is.

sending header info about what hash-expected can help the aware-proxy to not deliver outdated data.

I like to compare this with email:
- plain text-email: like a postcard: http
- pgp-encrypted email: secure like hell: https
- signed-email: plain-text but tamper-prove: httpa <-- missing atm (??)
i would really like to avoid a new protocol ( we just had 20year ipv6 ? ) - bring up better ideas.
- there might be some tricks like you browser checks the .well-known directory for hints
- or you proxy does.
- or there is some dns-based-whatever

in html, there is the <source .. integrity="xx" > statement. nice, but works for script and link only.
in the past there was the idea of signed .jar ( javascript archive ). but that was too powerfull.

remember - status = idea.
- I would realy love to say - "oh, didnt see this or that, lets forget it. ( and tell the rest of the net how to fix )"
if you find that cool, write the RFC and the implementation - take the credit;

i played around with apps and other stuff in docker-containers
- donwloading the same-same .jar into a dockercontainer - which does use a proxy - but stuff is via https.
run myself a .deb proxy, just for a few PC in backed. ( this works; btw, .deb is a signed package, so save on this side )
play with docker ? yes, you will download tonns of identical stuff.
you run your CI which builds over and over same stuff ? ( and downloads https - stuff again and agian .. it's fast, right ? )
run muliple win-/mac-/android-/ios- .. devices at home ( but no sentral win-/mac-/update-server ? ) - you donwload same stuff again and again

side-note: jquery-latest.js is just a example, pretty sure they do a good job.