Re: HTTP/2 and Pervasive Monitoring

Greg Wilkins <gregw@intalio.com> Fri, 15 August 2014 23:16 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 733831A0823 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 15 Aug 2014 16:16:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.947
X-Spam-Level:
X-Spam-Status: No, score=-6.947 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.668, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s6VHVSJaNyEY for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 15 Aug 2014 16:16:33 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BF5381A0819 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Fri, 15 Aug 2014 16:16:33 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1XIQgO-00040s-0d for ietf-http-wg-dist@listhub.w3.org; Fri, 15 Aug 2014 23:13:16 +0000
Resent-Date: Fri, 15 Aug 2014 23:13:16 +0000
Resent-Message-Id: <E1XIQgO-00040s-0d@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <gregw@intalio.com>) id 1XIQfl-0003wH-9b for ietf-http-wg@listhub.w3.org; Fri, 15 Aug 2014 23:12:37 +0000
Received: from mail-wg0-f49.google.com ([74.125.82.49]) by lisa.w3.org with esmtps (TLS1.0:RSA_ARCFOUR_SHA1:16) (Exim 4.72) (envelope-from <gregw@intalio.com>) id 1XIQfj-0007X4-TB for ietf-http-wg@w3.org; Fri, 15 Aug 2014 23:12:37 +0000
Received: by mail-wg0-f49.google.com with SMTP id k14so2818234wgh.20 for <ietf-http-wg@w3.org>; Fri, 15 Aug 2014 16:12:08 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=Rdf7C3oSEoosaD7I4fx9iCKUx8U5o0d831ayoO0L0KQ=; b=KC3DtjcD2ov7sBZdDqE25T2y4NcXZKUcpOVq/Y25TBySy5zJ6Xk4ml2UJ0AQYLixqN 9DcWU4Y1vGF7Fmb3aN+ibAaIJFa5BX6bRbrlA2ixsAKJasePaR3kA+io86aE4o5TsQBW mf5qcKz2vqPaLqRj0+9jJRUEyAwBIn0eAhq9hC5LNnMLkqAdvrq7LzLTK2HRxR+GrWeX 7/QpgPSxmBSXv6jmieZuJPD5036BKLl2L63U0HUsDZfCPME0z6mvlu22tF7Ku/w+V4oJ CCYT0AteuIaffiivldvvoJJN6zvvBiKMOzjcsxX6HUtNTF1StTSQks1GtZlhB4B+sSR5 Gz7Q==
X-Gm-Message-State: ALoCoQk0KDy0g55v0Vc1He293dm0gX3lI1HEsFCTuQAkawTbyXJ3NVwdqrL8Qqb6QnGXbMiHgYWp
MIME-Version: 1.0
X-Received: by 10.181.13.116 with SMTP id ex20mr12324109wid.31.1408144328642; Fri, 15 Aug 2014 16:12:08 -0700 (PDT)
Received: by 10.194.169.98 with HTTP; Fri, 15 Aug 2014 16:12:08 -0700 (PDT)
In-Reply-To: <DE8B5174-864A-4514-B2DC-6F1742535A8C@mnot.net>
References: <38BD57DB-98A9-4282-82DD-BB89F11F7C84@mnot.net> <CAH_y2NFr16YJEsN-=zUWjEdywuLpuOVijFmybjbXZtAE4LTMdg@mail.gmail.com> <DE8B5174-864A-4514-B2DC-6F1742535A8C@mnot.net>
Date: Sat, 16 Aug 2014 09:12:08 +1000
Message-ID: <CAH_y2NHOspsVugNZZgvD3XMZ522PzNkTRMS1dapcRDWQCL5ZsQ@mail.gmail.com>
From: Greg Wilkins <gregw@intalio.com>
To: Mark Nottingham <mnot@mnot.net>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: multipart/alternative; boundary="f46d043be12e806a1d0500b3261a"
Received-SPF: permerror client-ip=74.125.82.49; envelope-from=gregw@intalio.com; helo=mail-wg0-f49.google.com
X-W3C-Hub-Spam-Status: No, score=-3.8
X-W3C-Hub-Spam-Report: AWL=-3.100, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7
X-W3C-Scan-Sig: lisa.w3.org 1XIQfj-0007X4-TB 071ea8c83cea90b7cb1b10d235136eee
X-Original-To: ietf-http-wg@w3.org
Subject: Re: HTTP/2 and Pervasive Monitoring
Archived-At: <http://www.w3.org/mid/CAH_y2NHOspsVugNZZgvD3XMZ522PzNkTRMS1dapcRDWQCL5ZsQ@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/26625
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On 15 August 2014 18:56, Mark Nottingham <mnot@mnot.net> wrote:

>  (I think we’re in violent agreement here)


The difference is emphasis.

I think you are saying: "We are using TLS to mitigate PM, but it is not
perfect".

I think this WG should say:  "An application protocol cannot significantly
mitigate PM. A network level solutions is required.  But we are
facilitating increased TLS usage which may mitigate some PM attacks or at
least prevent even more invasive PM"

ie the overwhelming response to BCP188 should be that this is not a problem
we can fix on our own, but we are prepared to be part of the solution.

cheers

-- 
Greg Wilkins <gregw@intalio.com>
http://eclipse.org/jetty HTTP, SPDY, Websocket server and client that scales
http://www.webtide.com  advice and support for jetty and cometd.