Re: HTTP/2 and Pervasive Monitoring

Roland Zink <roland@zinks.de> Sat, 16 August 2014 07:05 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D0B581A70FD for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sat, 16 Aug 2014 00:05:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.67
X-Spam-Level:
X-Spam-Status: No, score=-7.67 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.668, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Zmo-uR5m2sNK for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sat, 16 Aug 2014 00:05:23 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F30601A70E2 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Sat, 16 Aug 2014 00:05:22 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1XIY0t-0003JI-1f for ietf-http-wg-dist@listhub.w3.org; Sat, 16 Aug 2014 07:02:55 +0000
Resent-Date: Sat, 16 Aug 2014 07:02:55 +0000
Resent-Message-Id: <E1XIY0t-0003JI-1f@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <roland@zinks.de>) id 1XIY0O-0003Ct-En for ietf-http-wg@listhub.w3.org; Sat, 16 Aug 2014 07:02:24 +0000
Received: from mo4-p00-ob.smtp.rzone.de ([81.169.146.221]) by maggie.w3.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.72) (envelope-from <roland@zinks.de>) id 1XIY0N-0004Pr-Iw for ietf-http-wg@w3.org; Sat, 16 Aug 2014 07:02:24 +0000
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; t=1408172520; l=967; s=domk; d=zinks.de; h=To:References:Content-Transfer-Encoding:Cc:Date:In-Reply-To:From: Subject:Mime-Version:Content-Type; bh=bK1IMxlWeLEYokjIpP1x+fNzQy0=; b=wMzl+pZiixFxQNb9GA2ZVYKHBSzHNd3uMP67I/3LhED6IDvyZJbmE3QlzxFu5K6wgGt joD5TYaYBGv5NUFCWyNtrlioVcNEa79T1z5z0ahBqjTxpba8niXW3q0hbcwRPLLyVjjvt +9hHTulakefLp7bbvFEOLDkbmTUdDWTQ9Us=
X-RZG-AUTH: :PmMIdE6sW+WWP9q/oR3Lt+I+9LMU33+ypf2mW+KcRc13k8mwGJrE
X-RZG-CLASS-ID: mo00
Received: from [192.168.5.128] (19.Red-83-42-94.dynamicIP.rima-tde.net [83.42.94.19]) by smtp.strato.de (RZmta 35.8 DYNA|AUTH) with ESMTPSA id v076b1q7G7205Ya (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate); Sat, 16 Aug 2014 09:02:00 +0200 (CEST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (1.0)
From: Roland Zink <roland@zinks.de>
X-Mailer: iPad Mail (11D257)
In-Reply-To: <53EE6263.2000802@cisco.com>
Date: Sat, 16 Aug 2014 09:01:58 +0200
Cc: Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <7E015395-13C4-413B-9E73-F3AE113BC75E@zinks.de>
References: <38BD57DB-98A9-4282-82DD-BB89F11F7C84@mnot.net> <53EDFCC9.1080606@cisco.com> <93E15423-C813-43B9-A7D4-C8490D9F6BAD@zinks.de> <53EE6263.2000802@cisco.com>
To: Eliot Lear <lear@cisco.com>
Received-SPF: none client-ip=81.169.146.221; envelope-from=roland@zinks.de; helo=mo4-p00-ob.smtp.rzone.de
X-W3C-Hub-Spam-Status: No, score=-3.5
X-W3C-Hub-Spam-Report: AWL=-3.450, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001
X-W3C-Scan-Sig: maggie.w3.org 1XIY0N-0004Pr-Iw 35972a460e2dfa0f6d1b1983a9677233
X-Original-To: ietf-http-wg@w3.org
Subject: Re: HTTP/2 and Pervasive Monitoring
Archived-At: <http://www.w3.org/mid/7E015395-13C4-413B-9E73-F3AE113BC75E@zinks.de>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/26630
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>


> Am 15.08.2014 um 21:41 schrieb Eliot Lear <lear@cisco.com>:
> 
> 
>> On 8/15/14, 7:25 PM, Roland Zink wrote:
>> Don't think that a valid cert really helps here although it may give a
>> hint about who is responsible.
> 
> We don't have causality, but we do have data.  And so one man's
> conjecture is as good as the next's.  Here's mine: the majority of
> illicit servers are actually running on hacked systems and the data is
> being served off a simple HTTP server, where no warning is produced.  It
> costs money to get a cert for that system, which doesn't actually buy
> the miscreant anything.
> 
> Eliot
> 
If the hacked system is a web server then the assumption it will have a valid cert in the future and there will be no need to add one. If the system is at home then my proposal was to stop this in the home users network through inspection of the traffic regardless if a valid cert is installed or not.

Roland