Re: Content-Encoding and MITM devices
Lucas Pardue <lucaspardue.24.7@gmail.com> Thu, 04 April 2024 15:04 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=ietf.org@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA3C6C14F6B9 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 4 Apr 2024 08:04:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.847
X-Spam-Level:
X-Spam-Status: No, score=-2.847 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=w3.org header.b="BugS3xgO"; dkim=pass (2048-bit key) header.d=w3.org header.b="d7ydwKMn"; dkim=pass (2048-bit key) header.d=gmail.com header.b="lA7J3JAC"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jRa8vqX05IIQ for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 4 Apr 2024 08:04:42 -0700 (PDT)
Received: from mab.w3.org (mab.w3.org [IPv6:2600:1f18:7d7a:2700:d091:4b25:8566:8113]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4BC6AC14F6B2 for <httpbisa-archive-bis2Juki@ietf.org>; Thu, 4 Apr 2024 08:04:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=w3.org; s=s1; h=Subject:Content-Type:Cc:To:Message-ID:Date:From:In-Reply-To: References:MIME-Version:Reply-To; bh=bXuFfNgQOcTuP8xRMpTjPwGdI/b8pAli/htUjeJfsQ8=; b=BugS3xgO+qY/czI/2HVW2cQBCO WbiETbdA4FTbgDYP8HesqBnU6kPbHsC8DELHVbZ21rph20EyyJUfXrTQhzIktVhb/9y0IYvdxgU8r U6YcnVbVANFWRDd3bcrK+VLvtDC2AT4Yj5cllGn9ey931Q88YMhtYhOYPh8hrBt1FTS1zBfkUPFKu KXtzxvg11klKUkj960oboy5+5Ys1t8BIM1MD0xC1UsG3CaZMhH1XwN2sbEJqRes+sJnq/BCZ3Nsib qcd6jYdXkDNo6VqMyN/Jj1UtMNIX6oqexUnBgV4Rz8nIQ4uGdP8sPuB216eschEpjEIbUJ686yg1u TJ2SR1zw==;
Received: from lists by mab.w3.org with local (Exim 4.96) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1rsOdK-0055Sk-0a for ietf-http-wg-dist@listhub.w3.org; Thu, 04 Apr 2024 15:04:06 +0000
Resent-Date: Thu, 04 Apr 2024 15:04:06 +0000
Resent-Message-Id: <E1rsOdK-0055Sk-0a@mab.w3.org>
Received: from ip-10-0-0-224.ec2.internal ([10.0.0.224] helo=puck.w3.org) by mab.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from <lucaspardue.24.7@gmail.com>) id 1rsOdH-0055Ro-17 for ietf-http-wg@listhub.w3.org; Thu, 04 Apr 2024 15:04:03 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=w3.org; s=s1; h=Content-Type:Cc:To:Subject:Message-ID:Date:From:In-Reply-To: References:MIME-Version:Reply-To; bh=bXuFfNgQOcTuP8xRMpTjPwGdI/b8pAli/htUjeJfsQ8=; t=1712243043; x=1713107043; b=d7ydwKMnB9tJvaLIsViX4rQjS8K78Z0Z6UJktgZf1A7oHofPJaESZ+ee93CVcV6yXuUjWvGBTbA c1LGXnjpdfRL2q2+3/cs86rNRsVTIwk6VAFBLlQZqk+BEVqescUmlh6zpBRPGXOHUH+dQ977lzzlH XnY4KvsC3OMsYx6kw2u40gs/5sBO4tF1IrwbOj+lx2uPbZwr32bdO7yR5JHN0k8Q6eqr9Wwjsxnq/ miBdhqGgI2SpAlHuLYmTNhCuSaFCzNzxsjAUhixiS43i2eo0Olz+JObxn6W6UJN5dV08b/xI2oaOL 3yGtJDE3E3PhBacIRMkp0vBeIe7NZ0RForYA==;
Received-SPF: pass (puck.w3.org: domain of gmail.com designates 2001:4860:4864:20::2e as permitted sender) client-ip=2001:4860:4864:20::2e; envelope-from=lucaspardue.24.7@gmail.com; helo=mail-oa1-x2e.google.com;
Received: from mail-oa1-x2e.google.com ([2001:4860:4864:20::2e]) by puck.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from <lucaspardue.24.7@gmail.com>) id 1rsOdG-000SAM-26 for ietf-http-wg@w3.org; Thu, 04 Apr 2024 15:04:03 +0000
Received: by mail-oa1-x2e.google.com with SMTP id 586e51a60fabf-22e7560b94aso529044fac.2 for <ietf-http-wg@w3.org>; Thu, 04 Apr 2024 08:04:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1712243039; x=1712847839; darn=w3.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=bXuFfNgQOcTuP8xRMpTjPwGdI/b8pAli/htUjeJfsQ8=; b=lA7J3JACuocZzkr821D4sM+1s/p8q2w1hrh7OE/mVMK3hzhe9NcWtDTqzMHgFh+UeL k3rN1YsBdcZLEfXJavEn7Bkj1LD7hM+6ctmAmAc78zRoDlLrgn7UbTKic82F6EATtZ6e tmKnFQqYUPpASIA+yrVI5WRHpgSSi2tnT4NE8wadi4kYAjxJIny3c9T80JWOZJZ1Y2JV r67HjY8STQPTFgwdOdnQXCKkfrLJE4mkxEj3Wv1ZsayB7nKDQWUHY/CdcVG8Y7fIzXn4 iipwQNi37hpe38XYQAeGDIRSUSbdWIHndsmLwmu46f8GaNkUjfAfMTP1SiLOIHzGZAZO 6qNQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712243039; x=1712847839; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=bXuFfNgQOcTuP8xRMpTjPwGdI/b8pAli/htUjeJfsQ8=; b=pRAt20+atAZgaRmk6MPz35qe03OQRL/3uePPU4B1fs1zFY/oXhOP+e7+p65fqPLfWP sxXK4UaIxmAbrW4/GLlKQ72K5696y+svUbbthRc6adXgiQGOPen47eznxzUnGxmmI9xb sqjhN3av7yKLd4YbPM19X1dHrNCLNcmt2G6u+bJf1ubccgC+BTHv+G99yszv7sgJNPbU 9OaMO7aq63/QrxS+K2RIR3Xr4ldgvzQ6xgUUj6mSRCsqcqEDFpmCsCkmQhwDapFPLgaI n9k65RNjoasxXtuv/5MiuXTyeM7KXhCf4vZoj7XyP8D3SK2iKxzLgFqksTceyzF0A1Ul m65Q==
X-Gm-Message-State: AOJu0YzAxvuwHd0OtAmP2DRmAkVPWIAndnqPIYhMmjivdPilwnC7XlZ5 HS2nzmD/XeRmuVYdoW5KsE5vCd8srBL0B+Ge5Dc078D/jNHsXOM7xwo5QdDmbYF2HPzw3eXF2kk Rs/zKLkhPkSICTwUYlm+24zmn01ffIgDC72E=
X-Google-Smtp-Source: AGHT+IGOLP9VetiCIeK8kWccxG3TvGzXSjOkslISX1zO/k6Y2oDUlyL9AMpYwHkS56A1BO6W7zZIp+L0+9psR7YhZWk=
X-Received: by 2002:a05:6870:5492:b0:22e:9a09:77d6 with SMTP id f18-20020a056870549200b0022e9a0977d6mr2481186oan.31.1712243038858; Thu, 04 Apr 2024 08:03:58 -0700 (PDT)
MIME-Version: 1.0
References: <CAJV+MGyYYG3cP7gbDnEm2xMFrQ-4X=2HhbObstJhs0LOeWpQLQ@mail.gmail.com> <CALGR9ob_a5u15crRQ7MaRmgaE=NUN1c_YLMxAp3-LL4x3MPqfA@mail.gmail.com> <CAJV+MGzJk9Zu=JuVioYt75YhxvLK8bs=EhT2-TnSqP5i+6mRJQ@mail.gmail.com>
In-Reply-To: <CAJV+MGzJk9Zu=JuVioYt75YhxvLK8bs=EhT2-TnSqP5i+6mRJQ@mail.gmail.com>
From: Lucas Pardue <lucaspardue.24.7@gmail.com>
Date: Thu, 04 Apr 2024 16:03:47 +0100
Message-ID: <CALGR9oaNv37_TCdxRnfPxt30Grg30_dz-_Nx7q1q7=xAVcbXfA@mail.gmail.com>
To: Patrick Meenan <patmeenan@gmail.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: multipart/alternative; boundary="00000000000019b469061546a6e5"
X-W3C-Hub-DKIM-Status: validation passed: (address=lucaspardue.24.7@gmail.com domain=gmail.com), signature is good
X-W3C-Hub-Spam-Status: No, score=-4.8
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, DMARC_PASS=-0.001, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, W3C_AA=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: puck.w3.org 1rsOdG-000SAM-26 5e9117181e3d3485929aeae775993eef
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Content-Encoding and MITM devices
Archived-At: <https://www.w3.org/mid/CALGR9oaNv37_TCdxRnfPxt30Grg30_dz-_Nx7q1q7=xAVcbXfA@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/51918
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/email/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
On Thu, 4 Apr 2024, 15:43 Patrick Meenan, <patmeenan@gmail.com> wrote: > More inline... > > On Thu, Apr 4, 2024 at 10:24 AM Lucas Pardue <lucaspardue.24.7@gmail.com> > wrote: > >> >> On Thu, 4 Apr 2024, 14:20 Patrick Meenan, <patmeenan@gmail.com> wrote: >> >>> Longer-term it would be nice if we can find a way to keep the situation >>> from getting worse (I don't want to end up in a place where we can only >>> launch features and protocol changes to HTTP/3 connections to well-known >>> trust roots). >>> >> >> IIUC correctly, Chromium connection policy does not support MITM for >> HTTP/3 unless there is an explicit list is passed in via a command line >> option. In other words, blanket MITM QUlC is not supported and the browser >> fails back to TCP-based HTTP. So the numbers you see are likely affected >> by that policy. Just wanted to check if you'd factored that into the >> analysis or not. >> > > I can't speak to MITM HTTP/3 being safe or not, just that HTTP/3 from > Chrome's current config was clean and HTTP/1.1 and HTTP/2 was fine when not > MITM but had elevated errors when MITM. I was under the impression that > enterprises generally block UDP 443 to force TCP that can be intercepted > with existing equipment but I guess there could be HTTP/3 (well, QUIC > specifically) interceptors as well. > To use an example I am familiar with, Cloudflare has a products for HTTP inspection that supports HTTP/3 [1]. The typical use case is an organisation provisions employees computers with the required trust roots. Such orgs are not blocking UDP or QUIC, rather Chrome is not accepting connections that attempt to use certs tied to that root. The MITM deployment effectively allows all certs to be created this way and there is no means to pass a wildcard to Chrome, it needs an explicit list. In theory if you had a set of origin trial domains for an explicit list, you could ask some volunteers to trial out their MITM to see how it deals with H3 and compression dictionaries. > >> >>> - Should we start greasing existing HTTP header fields (or at least the >>> content-encoding)? >>> >> >> I think that depends on the failure types you are observing. Is the >> intermediary erroring in the presence of a header field value, or because >> of actual content negotiation? It can be hard to grease actual functional >> code paths (in effect, it seems like you are already doing so in your >> origin trial ;-) ) >> > > For content-encoding specifically, would it be worth greasing different > encoding types so the next time it is changed we can be sure that MITM > software correctly modifies the accept-encoding to what they support rather > than just adding support for each new encoding as it happens. > I'm not sure how we would test that unless the server receiving the accept-encoding knew the request was coming via an intermediary. Which is possibly your motivations for asking about signalling? > >> >> - Should information about the trust root used for a connection be >>> web-exposed, server-exposed or user-exposed? >>> >> >> I suspect this might have some privacy implications. There was some >> chatter in the last couple of years about how one of the resource/perf >> timing APIs that exposes nextHopProtocol could reveal the presence of a >> proxy and that it has privacy implications. >> >> There was also some chatter in the community about logging whether >> connections had traversed some form of non-MITM proxy (e.g. whether video >> had been played over something like private relay), targeted more at trying >> to spot on aggregate whether performance characteristics were affected when >> going direct vs proxied. >> >> I don't have a direct answer to your suggestion, other than there are >> non-technical items to resolve before we might think about any solutions. >> >> > Agreed that there are likely privacy/fingerprinting things to worry about > here but there are probably privacy aspects on both sides of it (the > connections not being e2e private on the network path). Granted, once > someone has access to the end device, it can't be trusted so whatever > installed the local trust root could also monitor by other means but it > also feels a bit wrong to provide no indication of the potential for > network intercept (maybe it's a product issue more than a protocol issue). > The concerns I heard were not about a MITM in the network. Instead it was more wrt things like on-device Antivirus software. The user (or their admin) has already made the decision to enroll in the MITM and accept the risks thst come with it. Revealing that a MITM was in place and used, to some untrusted third-party (the web server, or the user agent vendor), was where the privacy concerns were pointed. NB: I'm not supporting nor refuting those concerns, just trying to clarify [1] - https://blog.cloudflare.com/cloudflare-gateway-http3-inspection >
- Content-Encoding and MITM devices Patrick Meenan
- Re: Content-Encoding and MITM devices Patrick Meenan
- Re: Content-Encoding and MITM devices Lucas Pardue
- Re: Content-Encoding and MITM devices Lucas Pardue