Re: HTTP/2 and Pervasive Monitoring
Stephen Farrell <stephen.farrell@cs.tcd.ie> Sat, 16 August 2014 00:30 UTC
Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DCAD61A08FD for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 15 Aug 2014 17:30:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.57
X-Spam-Level:
X-Spam-Status: No, score=-7.57 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.668, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IDfIEcIVHqNM for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 15 Aug 2014 17:30:51 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6B06F1A08F5 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Fri, 15 Aug 2014 17:30:51 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1XIRqn-0005TF-QX for ietf-http-wg-dist@listhub.w3.org; Sat, 16 Aug 2014 00:28:05 +0000
Resent-Date: Sat, 16 Aug 2014 00:28:05 +0000
Resent-Message-Id: <E1XIRqn-0005TF-QX@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <stephen.farrell@cs.tcd.ie>) id 1XIRqV-0005Q8-Bf for ietf-http-wg@listhub.w3.org; Sat, 16 Aug 2014 00:27:47 +0000
Received: from [134.226.56.6] (helo=mercury.scss.tcd.ie) by lisa.w3.org with esmtp (Exim 4.72) (envelope-from <stephen.farrell@cs.tcd.ie>) id 1XIRqS-0005m6-Bs for ietf-http-wg@w3.org; Sat, 16 Aug 2014 00:27:47 +0000
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id F082ABEAF; Sat, 16 Aug 2014 01:27:16 +0100 (IST)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9m2BrdwzTlcU; Sat, 16 Aug 2014 01:27:15 +0100 (IST)
Received: from [10.87.48.11] (unknown [86.41.61.96]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id D2660BE7C; Sat, 16 Aug 2014 01:27:15 +0100 (IST)
Message-ID: <53EEA563.4020703@cs.tcd.ie>
Date: Sat, 16 Aug 2014 01:27:15 +0100
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.0
MIME-Version: 1.0
To: Poul-Henning Kamp <phk@phk.freebsd.dk>, Greg Wilkins <gregw@intalio.com>
CC: Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
References: <38BD57DB-98A9-4282-82DD-BB89F11F7C84@mnot.net> <CAH_y2NFr16YJEsN-=zUWjEdywuLpuOVijFmybjbXZtAE4LTMdg@mail.gmail.com> <DE8B5174-864A-4514-B2DC-6F1742535A8C@mnot.net> <CAH_y2NHOspsVugNZZgvD3XMZ522PzNkTRMS1dapcRDWQCL5ZsQ@mail.gmail.com> <8622.1408147394@critter.freebsd.dk>
In-Reply-To: <8622.1408147394@critter.freebsd.dk>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Received-SPF: none client-ip=134.226.56.6; envelope-from=stephen.farrell@cs.tcd.ie; helo=mercury.scss.tcd.ie
X-W3C-Hub-Spam-Status: No, score=-2.8
X-W3C-Hub-Spam-Report: AWL=-4.032, RDNS_NONE=1.274
X-W3C-Scan-Sig: lisa.w3.org 1XIRqS-0005m6-Bs df092078eb163bf044df8720f8404d1a
X-Original-To: ietf-http-wg@w3.org
Subject: Re: HTTP/2 and Pervasive Monitoring
Archived-At: <http://www.w3.org/mid/53EEA563.4020703@cs.tcd.ie>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/26628
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
On 16/08/14 01:03, Poul-Henning Kamp wrote: > -------- > In message <CAH_y2NHOspsVugNZZgvD3XMZ522PzNkTRMS1dapcRDWQCL5ZsQ@mail.gmail.com> > , Greg Wilkins writes: > >> ie the overwhelming response to BCP188 should be that this is not a problem >> we can fix on our own, but we are prepared to be part of the solution. > > Agreed, but I think we should also point out that defending against > the 'pervasive' aspect is much cheaper than "real" privacy. > I've disagreed with one aspect of this offlist in some exchanges with PHK. I do not think that weak ciphers form any part of the mitigation to PM. Using such would I think inevitably leave open vulnerabilities that would allow the bad actor to continue to do PM at no significantly greater expense. For example, if a "faster weaker" cipher were to be used, that is always distinguishable (e.g. via timing), allowing the bad actor to simply record ciphertext for those packets and decrypt later on demand. PHK and I disagree a bit about the definition of PM in that respect. I conclude that BCP188 would include storing breakable ciphertext in the definition of PM. He doesn't. So I don't agree with his distinction, if "real" privacy is meant to mean strong encryption and cheaper is meant to mean something trivially breakable. And I think that leads us back to the opp-sec draft as this WG's specific response to PM. S.
- HTTP/2 and Pervasive Monitoring Mark Nottingham
- Re: HTTP/2 and Pervasive Monitoring Amos Jeffries
- Re: HTTP/2 and Pervasive Monitoring Greg Wilkins
- RE: HTTP/2 and Pervasive Monitoring K.Morgan
- Re: HTTP/2 and Pervasive Monitoring Poul-Henning Kamp
- Re: HTTP/2 and Pervasive Monitoring Mark Nottingham
- Re: HTTP/2 and Pervasive Monitoring Mark Nottingham
- Re: HTTP/2 and Pervasive Monitoring Eliot Lear
- Re: HTTP/2 and Pervasive Monitoring Poul-Henning Kamp
- Re: HTTP/2 and Pervasive Monitoring Martin Nilsson
- Re: HTTP/2 and Pervasive Monitoring Poul-Henning Kamp
- RE: HTTP/2 and Pervasive Monitoring Albert Lunde
- Re: HTTP/2 and Pervasive Monitoring Cory Benfield
- Re: HTTP/2 and Pervasive Monitoring Erik Nygren
- Re: HTTP/2 and Pervasive Monitoring Poul-Henning Kamp
- Re: HTTP/2 and Pervasive Monitoring Roland Zink
- Re: HTTP/2 and Pervasive Monitoring Martin Thomson
- Re: HTTP/2 and Pervasive Monitoring Brian Smith
- Re: HTTP/2 and Pervasive Monitoring Poul-Henning Kamp
- Re: HTTP/2 and Pervasive Monitoring Eliot Lear
- Re: HTTP/2 and Pervasive Monitoring Greg Wilkins
- Re: HTTP/2 and Pervasive Monitoring Greg Wilkins
- Re: HTTP/2 and Pervasive Monitoring Poul-Henning Kamp
- Re: HTTP/2 and Pervasive Monitoring Stephen Farrell
- Re: HTTP/2 and Pervasive Monitoring Poul-Henning Kamp
- Re: HTTP/2 and Pervasive Monitoring Roland Zink
- Re: HTTP/2 and Pervasive Monitoring Stephen Farrell
- Re: HTTP/2 and Pervasive Monitoring Amos Jeffries
- Re: HTTP/2 and Pervasive Monitoring Eliot Lear
- Re: HTTP/2 and Pervasive Monitoring Poul-Henning Kamp
- Re: HTTP/2 and Pervasive Monitoring Poul-Henning Kamp
- Re: HTTP/2 and Pervasive Monitoring Ilari Liusvaara
- Re: HTTP/2 and Pervasive Monitoring Mark Nottingham
- Re: HTTP/2 and Pervasive Monitoring Greg Wilkins
- Re: HTTP/2 and Pervasive Monitoring Poul-Henning Kamp
- Re: HTTP/2 and Pervasive Monitoring Martin Thomson
- Re: HTTP/2 and Pervasive Monitoring Poul-Henning Kamp
- Re: HTTP/2 and Pervasive Monitoring Martin Thomson
- Re: HTTP/2 and Pervasive Monitoring Poul-Henning Kamp