Re: PRISM and HTTP/2.0

Nico Williams <nico@cryptonector.com> Mon, 15 July 2013 17:58 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A02221F86BE for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 15 Jul 2013 10:58:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.199
X-Spam-Level:
X-Spam-Status: No, score=-6.199 tagged_above=-999 required=5 tests=[AWL=3.778, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nxaxuB0rr71s for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 15 Jul 2013 10:58:14 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id 7671D21F878F for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 15 Jul 2013 10:58:09 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1Uyn10-0000MN-4l for ietf-http-wg-dist@listhub.w3.org; Mon, 15 Jul 2013 17:56:50 +0000
Resent-Date: Mon, 15 Jul 2013 17:56:50 +0000
Resent-Message-Id: <E1Uyn10-0000MN-4l@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <nico@cryptonector.com>) id 1Uyn0s-0000JJ-6l for ietf-http-wg@listhub.w3.org; Mon, 15 Jul 2013 17:56:42 +0000
Received: from caiajhbdcbbj.dreamhost.com ([208.97.132.119] helo=homiemail-a28.g.dreamhost.com) by maggie.w3.org with esmtp (Exim 4.72) (envelope-from <nico@cryptonector.com>) id 1Uyn0r-0002UX-0L for ietf-http-wg@w3.org; Mon, 15 Jul 2013 17:56:42 +0000
Received: from homiemail-a28.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a28.g.dreamhost.com (Postfix) with ESMTP id D995B1B4059 for <ietf-http-wg@w3.org>; Mon, 15 Jul 2013 10:56:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type; s=cryptonector.com; bh=aTWRTVznPZM7lXb7YF3P 65xOfX4=; b=lveaddmuWsAXPvXpLnXaOlGWnscfm4/EDQ0P0NyIBs35tFxGwcpY HQz062Y3ZZ3EbHV9IbDUgdRCwUIcL2SKMCOX5rTPQtpYBpYWtTRbdPjID1aTYXNR kgFQWh2K61IFSan2UWn5FyrLV6iu7ERcDHU65G58Fyg7BW+cLEPQ/Hw=
Received: from mail-wi0-f179.google.com (mail-wi0-f179.google.com [209.85.212.179]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a28.g.dreamhost.com (Postfix) with ESMTPSA id 6917F1B4058 for <ietf-http-wg@w3.org>; Mon, 15 Jul 2013 10:56:19 -0700 (PDT)
Received: by mail-wi0-f179.google.com with SMTP id hj3so3185101wib.12 for <ietf-http-wg@w3.org>; Mon, 15 Jul 2013 10:56:17 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=PZlmY4yiglcu2faoP7RqzAZ8xfEXBiYPVwh83GkhPrg=; b=lxhk+BJFkPpPAmrUjHpi77pYPhGKmYSSYalKSR2GnwPbcZWm3UqnD3WFLzIhX3mXOZ PuV3+xjKoPAKuW+LK21b7DymXfoyvvNRBCRJ4W6jIZJgiGHZbvf3L5URX8wY1ShVzo/c 65SKKtuNi8WxlFnq7Dlasz43tyMjwjQ2Prm2MXoumGdyFCYOTR1e6frLxp9yeuiDWP8P q2s0RbH0egPFbiwhTqVUNsFTyEhxpJ7IKOHH2y/81epBMJisuzh6c8hwZnOqmlVcwnsa g6xBbqcgcJbtqQJloaItsx6fNvFfMw2Wq/pnXVjy83ri7IE3yAgTE/T9TX0Lct62LSKF aSwQ==
MIME-Version: 1.0
X-Received: by 10.194.22.1 with SMTP id z1mr33301440wje.14.1373910977428; Mon, 15 Jul 2013 10:56:17 -0700 (PDT)
Received: by 10.217.38.138 with HTTP; Mon, 15 Jul 2013 10:56:17 -0700 (PDT)
In-Reply-To: <5672.1373710085@critter.freebsd.dk>
References: <5672.1373710085@critter.freebsd.dk>
Date: Mon, 15 Jul 2013 12:56:17 -0500
Message-ID: <CAK3OfOizL9p2JBzR3bOZgFbTMvC+ZWeQGhv6VsXYf+e+4ymoeg@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: Poul-Henning Kamp <phk@phk.freebsd.dk>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: text/plain; charset="UTF-8"
Received-SPF: none client-ip=208.97.132.119; envelope-from=nico@cryptonector.com; helo=homiemail-a28.g.dreamhost.com
X-W3C-Hub-Spam-Status: No, score=-3.5
X-W3C-Hub-Spam-Report: AWL=-3.449, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001
X-W3C-Scan-Sig: maggie.w3.org 1Uyn0r-0002UX-0L da9d12e0f43f491360e4c83ebb7e0ada
X-Original-To: ietf-http-wg@w3.org
Subject: Re: PRISM and HTTP/2.0
Archived-At: <http://www.w3.org/mid/CAK3OfOizL9p2JBzR3bOZgFbTMvC+ZWeQGhv6VsXYf+e+4ymoeg@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/18791
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On Sat, Jul 13, 2013 at 5:08 AM, Poul-Henning Kamp <phk@phk.freebsd.dk> wrote:
> We can do three things in light of this:
>
> 1) We can try to add more encryption to fight back.
>
> 2) We can recognize that there needs to be hooks for duly authorized access.

We can't assume that this is either desired by any authorities
(they'll demand we do this if they want it, and they'll delay asking
for as long as possible as it'd be a big deal to ask for it) nor
necessarily useful for #3.

The fact is that for now we're at the mercy of a) those authorities
who have deployed PRISMs, b) anybody who compromises them.  (b) is the
reason that PRISMs should not be built [0], but the same logic that
led all major WWII powers to have nuclear weapons programs during the
war must lead to all sufficiently rich governments to seek to build
PRISMs.  As with nuclear weapons, we may well end up with stalemate
(see commentary on #3 below).

The only escape would be strong end-points, which then would
facilitate end-to-end security.  But that's a pipe dream, for several
reasons: i) some end-points with useful plaintext data will be
physically vulnerable to PRISMs, so the end-points in question have to
all be personal, rather than servers in data centers, ii) to get to
where we have strong personal end-points would require powerful market
forces (and time), but we see the market bent and made to serve its
masters (albeit never perfectly, as politics cannot change natural
law) the world over, which leads to the only, inescapable conclusion:
this is a political problem.

"#2 to get #3" is a political proposal.  It is to build something
expressly susceptible to attack by organizations who are themselves
targets and victims, so that they (and their victimizers) can
victimize those within their reach.  Take it to your
congresscritters/whatever.  Lobby.  Form a party.  Fund speech.  Do
what you have to.  But this is really the wrong forum.

> 3) We can change or at least influence the political objectives

Influence, *maybe*.  There are lots of nations' politics to influence.
 It seems very unlikely to me that "#2 to get #3" will go far at all.

> I think PRISM is ample evidence that #1 will have the 100% certain
> result is that all encryption will be circumvented, with bogus CA
> certs all the way up to PRISM and designed-in backdoors, and the
> net result is less or even no privacy for anybody everywhere.

It's way too soon too tell.  Consider the situation in China re: HTTPS
and MITM certs.  China has a CA they *could* use to MITM but don't, at
least not the big sites.  This was a big deal recently when they tried
to blackhole github, and they had to back down.  There are reports
that American companies are scared of losing business as a result of
PRISM.

Combine the fear of market share loss due to PRISM bad PR with the
situation in China and we get stalemate: in the end then every nation
would have to decide what traffic outside its borders (such as they
might be online) to MITM (that can be MITMed), what to blackhole, ...,
or whether to be an open society, but either end result is stalemate.
Of course, if large enough groups of allied countries agree to provide
each other with access to end-points in their jurisdictions, then
we're roughly back to today's situation.

To defeat PRISMs technologically requires: strong personal (mobile)
end-points as the only end-points (i.e., to store or move data in the
cloud it must be encrypted with keys not available to the cloud),
strong crypto, and protocols that cannot be MITMed, not even with the
user's acquiescence.  The last roughly implies something like ZKPPs,
which don't scale except when used as pre-authentication to protocols
like Kerberos or BrowserID, which bring with them long trust paths (as
that's their point: to act as introducers), making the whole thing
vulnerable once more.  In the absolute best case scenarios people end
up being vulnerable only to traffic analysis, social engineering, and
to rubber hose cryptanalysis, but you still have to trust so much
stuff (hardware, firmware, software) that it's almost certainly
infeasible for the forseeable future...

...and that's probably why we're not being asked for #2, along with
the fact that #2 would be a *big* deal to ask for.  We'll be asked for
#2 if anti-PRISM tech begins to thrive, or realistically threatens to,
and probably no sooner.

[0] https://www.cs.columbia.edu/~smb/papers/CALEAVOIPreport.pdf