Re: HTTP/2 and Pervasive Monitoring
Greg Wilkins <gregw@intalio.com> Fri, 15 August 2014 06:03 UTC
Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D8DE31A8A23 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 14 Aug 2014 23:03:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.947
X-Spam-Level:
X-Spam-Status: No, score=-6.947 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.668, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jtRz3aor399V for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 14 Aug 2014 23:03:48 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 25B231A8A22 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Thu, 14 Aug 2014 23:03:48 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1XIAZx-0004E1-BD for ietf-http-wg-dist@listhub.w3.org; Fri, 15 Aug 2014 06:01:33 +0000
Resent-Date: Fri, 15 Aug 2014 06:01:33 +0000
Resent-Message-Id: <E1XIAZx-0004E1-BD@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <gregw@intalio.com>) id 1XIAZf-0004AS-TE for ietf-http-wg@listhub.w3.org; Fri, 15 Aug 2014 06:01:15 +0000
Received: from mail-wg0-f42.google.com ([74.125.82.42]) by maggie.w3.org with esmtps (TLS1.0:RSA_ARCFOUR_SHA1:16) (Exim 4.72) (envelope-from <gregw@intalio.com>) id 1XIAZe-0007Pq-MI for ietf-http-wg@w3.org; Fri, 15 Aug 2014 06:01:15 +0000
Received: by mail-wg0-f42.google.com with SMTP id l18so1896610wgh.25 for <ietf-http-wg@w3.org>; Thu, 14 Aug 2014 23:00:48 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=No6dGIJyxXEMNw0xgx7o2+aUiOEr0b+9hMgWeNyL0Rk=; b=IMUmo/NeCboO03jO4Zdr+zwQ3G6G7uuz7JG+awfEWx5OK+77s2atyF7qJXv6G/TwVw Tq9Hdd8tp1yWxl1AP2f108CBzYPHnKvXapFCh+yjOWkGXa6qBKGS1hR1+PjUxhThmY27 p1TO0KhvRhyl1g4v/V7UZ/WZpkDmhlNFNbF5XzGLAYRzRPJhS4PLx3npEgCu4dwgyQyP SPlmRGLyD5pdj8Cf+rzBweWyoBzn/1JjgvOxmCispPh9wr3sgPNdTsC3PQ80+FO7d+Zt XINmc/jVfnOjBYfgwg7D82SaNyMGI2CQ4vhr49m6eOAENpvDDzXxXY4YIypte3Ck5SAp 9a8g==
X-Gm-Message-State: ALoCoQnyUlq+dnRoHrr3zOl3qme9xucCSaZeynFbjZL3yl2nMy24vy81b9rmQ2rg7Mfb5i4ZYI1n
MIME-Version: 1.0
X-Received: by 10.180.211.172 with SMTP id nd12mr8666713wic.74.1408082448088; Thu, 14 Aug 2014 23:00:48 -0700 (PDT)
Received: by 10.194.169.98 with HTTP; Thu, 14 Aug 2014 23:00:48 -0700 (PDT)
In-Reply-To: <38BD57DB-98A9-4282-82DD-BB89F11F7C84@mnot.net>
References: <38BD57DB-98A9-4282-82DD-BB89F11F7C84@mnot.net>
Date: Fri, 15 Aug 2014 16:00:48 +1000
Message-ID: <CAH_y2NFr16YJEsN-=zUWjEdywuLpuOVijFmybjbXZtAE4LTMdg@mail.gmail.com>
From: Greg Wilkins <gregw@intalio.com>
To: Mark Nottingham <mnot@mnot.net>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: multipart/alternative; boundary="001a11c388ee221d570500a4beb1"
Received-SPF: permerror client-ip=74.125.82.42; envelope-from=gregw@intalio.com; helo=mail-wg0-f42.google.com
X-W3C-Hub-Spam-Status: No, score=-3.8
X-W3C-Hub-Spam-Report: AWL=-3.101, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7
X-W3C-Scan-Sig: maggie.w3.org 1XIAZe-0007Pq-MI 8f1beb38c65a84696b86d5a1a0e79524
X-Original-To: ietf-http-wg@w3.org
Subject: Re: HTTP/2 and Pervasive Monitoring
Archived-At: <http://www.w3.org/mid/CAH_y2NFr16YJEsN-=zUWjEdywuLpuOVijFmybjbXZtAE4LTMdg@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/26606
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
On 15 August 2014 12:58, Mark Nottingham <mnot@mnot.net> wrote: > It's safe to say that pervasive monitoring is very relevant to HTTP. I'm not so sure about this. The vast bulk of PM issues, at least as they are discussed in Australia are related to the collection and retention of meta data. Who you talked to, when you connected, how much data, who you connected to next, etc. While I'm sure inspection of content is also an issue, it is secondary to the meta data issues. Also many of the players involved in PM attacks have access to the unencrypted end points, so transport encryption is a long way off being a silver bullet for protection from PM There is very little that we can do within a protocol like HTTP to address the such meta data collection. More over, the problems that we face are similar to PM issues that other application protocols face. SMTP, POP, IMAP, Websocket, IRC, SIP etc. all need similar protection as HTTP. Solving PM is not something that I think that any of these protocols can do on their own. Essentially PM is something that needs to be addressed at the TCP/IP level as I would suggest that any protocol using TCP/IP is subject to significant PM attack regardless of encryption. Note that I'm not necessarily arguing against https only.... I'm really just saying that to pretend that this gives any significant defence against PM is to over sell what it achieves or what can be achieved by any application protocol stand alone. It is indeed a problem, I just don't think we can put our hand up as being able to solve it. regards -- Greg Wilkins <gregw@intalio.com> http://eclipse.org/jetty HTTP, SPDY, Websocket server and client that scales http://www.webtide.com advice and support for jetty and cometd.
- HTTP/2 and Pervasive Monitoring Mark Nottingham
- Re: HTTP/2 and Pervasive Monitoring Amos Jeffries
- Re: HTTP/2 and Pervasive Monitoring Greg Wilkins
- RE: HTTP/2 and Pervasive Monitoring K.Morgan
- Re: HTTP/2 and Pervasive Monitoring Poul-Henning Kamp
- Re: HTTP/2 and Pervasive Monitoring Mark Nottingham
- Re: HTTP/2 and Pervasive Monitoring Mark Nottingham
- Re: HTTP/2 and Pervasive Monitoring Eliot Lear
- Re: HTTP/2 and Pervasive Monitoring Poul-Henning Kamp
- Re: HTTP/2 and Pervasive Monitoring Martin Nilsson
- Re: HTTP/2 and Pervasive Monitoring Poul-Henning Kamp
- RE: HTTP/2 and Pervasive Monitoring Albert Lunde
- Re: HTTP/2 and Pervasive Monitoring Cory Benfield
- Re: HTTP/2 and Pervasive Monitoring Erik Nygren
- Re: HTTP/2 and Pervasive Monitoring Poul-Henning Kamp
- Re: HTTP/2 and Pervasive Monitoring Roland Zink
- Re: HTTP/2 and Pervasive Monitoring Martin Thomson
- Re: HTTP/2 and Pervasive Monitoring Brian Smith
- Re: HTTP/2 and Pervasive Monitoring Poul-Henning Kamp
- Re: HTTP/2 and Pervasive Monitoring Eliot Lear
- Re: HTTP/2 and Pervasive Monitoring Greg Wilkins
- Re: HTTP/2 and Pervasive Monitoring Greg Wilkins
- Re: HTTP/2 and Pervasive Monitoring Poul-Henning Kamp
- Re: HTTP/2 and Pervasive Monitoring Stephen Farrell
- Re: HTTP/2 and Pervasive Monitoring Poul-Henning Kamp
- Re: HTTP/2 and Pervasive Monitoring Roland Zink
- Re: HTTP/2 and Pervasive Monitoring Stephen Farrell
- Re: HTTP/2 and Pervasive Monitoring Amos Jeffries
- Re: HTTP/2 and Pervasive Monitoring Eliot Lear
- Re: HTTP/2 and Pervasive Monitoring Poul-Henning Kamp
- Re: HTTP/2 and Pervasive Monitoring Poul-Henning Kamp
- Re: HTTP/2 and Pervasive Monitoring Ilari Liusvaara
- Re: HTTP/2 and Pervasive Monitoring Mark Nottingham
- Re: HTTP/2 and Pervasive Monitoring Greg Wilkins
- Re: HTTP/2 and Pervasive Monitoring Poul-Henning Kamp
- Re: HTTP/2 and Pervasive Monitoring Martin Thomson
- Re: HTTP/2 and Pervasive Monitoring Poul-Henning Kamp
- Re: HTTP/2 and Pervasive Monitoring Martin Thomson
- Re: HTTP/2 and Pervasive Monitoring Poul-Henning Kamp