IETF Logo Mail Archive

Re: FYI: Oblivious HTTP

David Benjamin <davidben@chromium.org> Sat, 30 January 2021 01:11 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A6CF03A1449 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 29 Jan 2021 17:11:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.009
X-Spam-Level:
X-Spam-Status: No, score=-3.009 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.25, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, T_SPF_TEMPERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1WOeSGMTzebV for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 29 Jan 2021 17:11:29 -0800 (PST)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 70BD33A1448 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Fri, 29 Jan 2021 17:11:29 -0800 (PST)
Received: from lists by lyra.w3.org with local (Exim 4.92) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1l5eks-0001oQ-G5 for ietf-http-wg-dist@listhub.w3.org; Sat, 30 Jan 2021 01:08:50 +0000
Resent-Date: Sat, 30 Jan 2021 01:08:50 +0000
Resent-Message-Id: <E1l5eks-0001oQ-G5@lyra.w3.org>
Received: from mimas.w3.org ([128.30.52.79]) by lyra.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <davidben@google.com>) id 1l5ekr-0001nf-85 for ietf-http-wg@listhub.w3.org; Sat, 30 Jan 2021 01:08:49 +0000
Received: from mail-pj1-x1036.google.com ([2607:f8b0:4864:20::1036]) by mimas.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from <davidben@google.com>) id 1l5ekp-0007FB-8R for ietf-http-wg@w3.org; Sat, 30 Jan 2021 01:08:49 +0000
Received: by mail-pj1-x1036.google.com with SMTP id gx1so7262394pjb.1 for <ietf-http-wg@w3.org>; Fri, 29 Jan 2021 17:08:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=MetqGC2LW36NXzcTpMD5KM8Z+ex1uJizYqnFJfoC0Y8=; b=UydBQRWJl9oUL5acw0MyeHvyIiNJR+3NwITPcK4lGWNVpKbDomRWl5Msl2pTRfZB+6 49Z04yVxpbGYDuSeafORZgHmfEbLFaGEcdHRq56ayGJa5fVTKOLa26Pr/rljV6My5i2V lxtBxeGBRhvnk+wqQmGtAmGKURk8yXX9aZIT0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=MetqGC2LW36NXzcTpMD5KM8Z+ex1uJizYqnFJfoC0Y8=; b=UwsCLnh/4iNMGyFceAkwEzwd/HOYdYJSZU0P187bndU4pHceXKI5tCTHynbDUSEJFX tH1wQw/OxYe6QKfhOtXQio4Hwb+ZW1lXAAYkyN3JQVh7Pi++okQt9p+wsDdTHaerJiYr eL8kYpgH3atX4rhO5BftrdFO/+8Ef95YdYIvwRSS2se7xFQPUCnz0qZjVpp2g8QUJEKq djoyDkRTRb6Kdw4SIaFoyUiTpe0rOhiCwpen9fTkuU15WL3X2HHBeAchqzh76FV/8V2l KBXoKpaZipnQ5tHLwYFfIrURVzXr3T1ajnasrq/JQU/9LlWeLMDUItyQ5OKKgR7NAl0I PH6w==
X-Gm-Message-State: AOAM531mJbC49yjlUIJiu15gfCz3Qe62n3PoPFHnWffbuExuTw+XCSl2 m9JChveqgtZCJZcU5np8tDts/Rztak/550AGLpvHCsu3H74V
X-Google-Smtp-Source: ABdhPJxyd1oU4XSHPTpiyok5n1LNX+iJ/Johj2THcms1ap+vUpz3zNd4/Grj5udgqAJRXSmXZkK14QlGDmsMNLEoXIg=
X-Received: by 2002:a17:90b:f05:: with SMTP id br5mr6867842pjb.162.1611968915668; Fri, 29 Jan 2021 17:08:35 -0800 (PST)
MIME-Version: 1.0
References: <ef91fafb-1586-4076-baa9-033326162eb1@www.fastmail.com> <776DC690-336A-4843-8EA1-DD5D426A0DD6@gbiv.com> <8bf39ffc-e6f8-4f0f-af2d-20e8eed154b9@www.fastmail.com>
In-Reply-To: <8bf39ffc-e6f8-4f0f-af2d-20e8eed154b9@www.fastmail.com>
From: David Benjamin <davidben@chromium.org>
Date: Fri, 29 Jan 2021 20:08:19 -0500
Message-ID: <CAF8qwaCdK6zodL5QGmMSM4U80NdSiZ+KZ16-u2_SypiEo62Ocg@mail.gmail.com>
To: Martin Thomson <mt@lowentropy.net>
Cc: Roy Fielding <fielding@gbiv.com>, HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: multipart/alternative; boundary="0000000000009c01b205ba13c284"
Received-SPF: pass client-ip=2607:f8b0:4864:20::1036; envelope-from=davidben@google.com; helo=mail-pj1-x1036.google.com
X-W3C-Hub-DKIM-Status: validation passed: (address=davidben@google.com domain=chromium.org), signature is good
X-W3C-Hub-Spam-Status: No, score=-11.5
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.249, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, USER_IN_DEF_SPF_WL=-7.5, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1l5ekp-0007FB-8R 2a6a9b190511888078b84f5e257e0d9b
X-Original-To: ietf-http-wg@w3.org
Subject: Re: FYI: Oblivious HTTP
Archived-At: <https://www.w3.org/mid/CAF8qwaCdK6zodL5QGmMSM4U80NdSiZ+KZ16-u2_SypiEo62Ocg@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/38420
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On Thu, Jan 28, 2021 at 7:23 PM Martin Thomson <mt@lowentropy.net> wrote:

> I think that it might be best to respond with a little more context on
> what I believe the potential application of oblivious HTTP would be.  The
> draft doesn't really go into that, because that isn't really a good place
> to capture these sorts of things.
>
> Just to set this aside, I don't see this as building toward replicating
> something like Tor.  There are obvious parallels, but the two approaches
> have very different assumptions about trust and the incentives of various
> actors.  Tor, as a system, is also far more complex and ambitious.  So, by
> all means look for parallels in Tor, but understand that this has very
> different models for both the threats it considers and the environment it
> might be deployed in.
>
> The other thing that I think is important to understand is that - at least
> from my perspective - the goal is not to carry any significant proportion
> of HTTP requests.  For instance, I don't see this being used for web
> browsing.  If we're willing to echo cookies, then you can safely assume
> that we won't be making those requests oblivious.  And many other cases
> benefit from being able to establish some sort of continuity, if only to
> deal with denial of service risks.  Each application would have to be
> assessed on its own.
>
> The things that we're talking about using this are those cases where we
> have identified a privacy risk associated with having a server being able
> to link requests.  The original case in research was DNS queries, where it
> has been shown that building profiles of users based on their DNS activity
> has poor privacy properties.  At Mozilla, we're also considering this style
> of approach in other places that browsers make requests with information
> that might be sensitive, like telemetry reporting.
>
> There are non-trivial costs associated with setting this up.  As a proxy
> needs to be run by a separate entity, but they don't see any direct benefit
> from the service they provide, you have to arrange for their costs to be
> met somehow.  You need to do so in a way that the server can ensure that
> the proxy is not enabling DoS attacks, while also retaining sufficient
> independence that clients can trust the proxy.  This is harder as the use
> cases become more general, but we believe that this can be arranged for
> certain specific cases.
>
> Does the explanation about applicability help?  I realize now that I
> shouldn't have left this up to inference, and the draft should probably at
> least address the point directly, so I'll make sure that the next version
> does something about that.
>

I agree the draft should talk about this. I initially read it as intending
a general replacement for proxying strategies, which seemed odd. As you
note, in more stateful contexts like web browsing, the correlation
boundaries are so much larger than a request that this probably doesn't buy
much over simply partitioning connection pools. Whereas I could see
applications with more standalone requests wanting different tradeoffs.

One comment on the privacy properties here: the requests are only as
uncorrelated as the key configurations used by the client. In the online
HTTPS fetch model described here, if each client independently fetches, the
server could maintain many configs and serve a different one each time. I
assume that the client will cache the key configuration (otherwise it needs
a new fetch per request, at which point it may as well just tunnel HTTPS),
which means clients can be identified, or partially identified by their
keys. This is helped a bit by the small keyID size: the server gets 8 bits
plus a couple more from algorithm selections, and then the rest must come
from trial decryption. But how well this mitigates it depends on volume and
whether this could be combined with information in the requests themselves.
(E.g. telemetry reports may reveal platform information or rough
performance characteristics.) That's probably worth some text, both on the
privacy implications of the suggested configuration model, and on privacy
implications of configuration models in general.

Alternatively, the proxy could cache and serve the key configuration. Then
everyone behind the same proxy uses the same config. Though you'd then need
some kind of offline authentication on the config, such as SXGs.

I think the draft should also discuss the security implications a bit more,
since it's replacing the guarantees you'd otherwise get from proxying
HTTPS. Some things that came to mind:

- Related to all the online vs offline signature excitement, the client
probably needs to enforce a time bound on key configurations, in order to
contain the effects of a temporary compromise.

- Like TLS 1.3 0-RTT, encapsulated requests don't have replay protections
and lack forward secrecy. This shouldn't be used where replay protection
matters, and key configurations should be rotated frequently.

- Unlike TLS 1.3 0-RTT, encapsulated responses also lack forward secrecy.
(If it's an issue, I suppose you could fix this by doing a second HPKE in
the other direction and binding the two together.)

David

v2.23.0 | Report a Bug | By Email