Re: HTTP/2 and Pervasive Monitoring

Eliot Lear <lear@cisco.com> Sun, 17 August 2014 06:22 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 311901A0733 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sat, 16 Aug 2014 23:22:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -15.17
X-Spam-Level:
X-Spam-Status: No, score=-15.17 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.668, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bq7XTO_sZdEB for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sat, 16 Aug 2014 23:22:47 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 56A041A0732 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Sat, 16 Aug 2014 23:22:46 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1XItpB-0003Y1-DR for ietf-http-wg-dist@listhub.w3.org; Sun, 17 Aug 2014 06:20:17 +0000
Resent-Date: Sun, 17 Aug 2014 06:20:17 +0000
Resent-Message-Id: <E1XItpB-0003Y1-DR@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <lear@cisco.com>) id 1XItok-0002FH-Lv for ietf-http-wg@listhub.w3.org; Sun, 17 Aug 2014 06:19:50 +0000
Received: from aer-iport-4.cisco.com ([173.38.203.54]) by maggie.w3.org with esmtps (TLS1.0:RSA_ARCFOUR_SHA1:16) (Exim 4.72) (envelope-from <lear@cisco.com>) id 1XItoj-0001dG-V0 for ietf-http-wg@w3.org; Sun, 17 Aug 2014 06:19:50 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=1336; q=dns/txt; s=iport; t=1408256389; x=1409465989; h=message-id:date:from:mime-version:to:cc:subject: references:in-reply-to; bh=eUAA40u+KECCAxu9pQEBJ+vk9HRhvln9I6D42dzpoFg=; b=Z1DDQKVxMzlDHl10eV7vsril/wnTaHHI3HLM5X0J+LaPOFrP5I6vX5bj qvu6tdrqYRb7AqHU5u17T34LmDgqKchIPa0IW0T5wy5qIeIYdnmYJmkHp WGB2eHe1OZ/ui5yJqN6OsBfsmq7C3/5YApJHBVpROfVEMF4U2SPOkvqQT U=;
X-Files: signature.asc : 486
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AqIEAKhI8FOtJssW/2dsb2JhbABZg2CDU9ExAYEid4QEAQEEI1UBEAsYCRYLAgIJAwIBAgFFBgEMAQcBAYg+rGiUWxePTAeCeYFTAQSTJYFKh1OHKo1Zg187gn4BAQE
X-IronPort-AV: E=Sophos;i="5.01,878,1400025600"; d="asc'?scan'208";a="140057458"
Received: from aer-iport-nat.cisco.com (HELO aer-core-1.cisco.com) ([173.38.203.22]) by aer-iport-4.cisco.com with ESMTP; 17 Aug 2014 06:19:22 +0000
Received: from [10.61.90.47] (ams3-vpn-dhcp6704.cisco.com [10.61.90.47]) by aer-core-1.cisco.com (8.14.5/8.14.5) with ESMTP id s7H6JM7Q018067; Sun, 17 Aug 2014 06:19:22 GMT
Message-ID: <53F0496A.9040307@cisco.com>
Date: Sun, 17 Aug 2014 08:19:22 +0200
From: Eliot Lear <lear@cisco.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: Poul-Henning Kamp <phk@phk.freebsd.dk>, Mark Nottingham <mnot@mnot.net>
CC: HTTP Working Group <ietf-http-wg@w3.org>
References: <38BD57DB-98A9-4282-82DD-BB89F11F7C84@mnot.net> <4851.1408094168@critter.freebsd.dk> <EB5B7C64-165B-48F1-94FF-1354E917A10F@mnot.net> <5871.1408106089@critter.freebsd.dk>
In-Reply-To: <5871.1408106089@critter.freebsd.dk>
Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="i8g07eJeIGMUhw2TSheB5oc68mLlsLvaS"
Received-SPF: pass client-ip=173.38.203.54; envelope-from=lear@cisco.com; helo=aer-iport-4.cisco.com
X-W3C-Hub-Spam-Status: No, score=-13.7
X-W3C-Hub-Spam-Report: AWL=-0.404, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.668, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5
X-W3C-Scan-Sig: maggie.w3.org 1XItoj-0001dG-V0 6bda8800dac08cbe976bd99438873425
X-Original-To: ietf-http-wg@w3.org
Subject: Re: HTTP/2 and Pervasive Monitoring
Archived-At: <http://www.w3.org/mid/53F0496A.9040307@cisco.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/26633
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On 8/15/14, 2:34 PM, Poul-Henning Kamp wrote:
> By by whitening the present HTTP plaintext traffic with TLS, even with
> quite weak cipher-suites, we dramatically increase the cost of the
> postanalysis step, instantly making that filter impossible.

This presumes that the use of weak cipher suites is actually cheaper to
the end points than strong ones.  Is that really the case?

Eliot