IETF Logo Mail Archive

Re: Alt-Svc Privacy Concerns

Matthew Kerwin <matthew@kerwin.net.au> Sun, 10 April 2016 13:52 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A80912D5AD for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 10 Apr 2016 06:52:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.916
X-Spam-Level:
X-Spam-Status: No, score=-7.916 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.996, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V-PxFKY_bkhU for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 10 Apr 2016 06:52:24 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 17E6C12B01A for <httpbisa-archive-bis2Juki@lists.ietf.org>; Sun, 10 Apr 2016 06:52:23 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1apFiG-0005wJ-1X for ietf-http-wg-dist@listhub.w3.org; Sun, 10 Apr 2016 13:47:40 +0000
Resent-Date: Sun, 10 Apr 2016 13:47:40 +0000
Resent-Message-Id: <E1apFiG-0005wJ-1X@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <phluid61@gmail.com>) id 1apFiB-0005vc-Nc for ietf-http-wg@listhub.w3.org; Sun, 10 Apr 2016 13:47:35 +0000
Received: from mail-io0-f175.google.com ([209.85.223.175]) by lisa.w3.org with esmtps (TLS1.2:RSA_ARCFOUR_SHA1:128) (Exim 4.80) (envelope-from <phluid61@gmail.com>) id 1apFi8-00031c-RU for ietf-http-wg@w3.org; Sun, 10 Apr 2016 13:47:35 +0000
Received: by mail-io0-f175.google.com with SMTP id u185so12431702iod.3 for <ietf-http-wg@w3.org>; Sun, 10 Apr 2016 06:47:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc; bh=wm6MMtCPkCmBxwtyeako5qAnekhJMoAUYAEIPAtBUSs=; b=cbven8cdhtrhnxrqtrZWvtyGZo+YMUv6TxiLuONRTgkg+zxjz7AWDAMhz07BauNuWQ b8QVTQyjMtXEhdi6JO2oaiBLe0mM/nPlpCMSZhvzpB/UsFy5If9NnjPiJaJ4ayJSkDNX fE8CYbLENAnyYep99Nt5jAQ8bY2IRWoIM4VBexQPxRn4sTAIdyAXS3S58sxaL3OeMYHS j+xp/P0lWDR3XaK6dgowK1vU/ruWXLVXvUaMPlSGKZIQKKfnUt8xemIh/120XeAbI//V CNxcRrXiL+CxWwcv/xzc9TOmKN2ix3985iXH2ZdilxnQEjCnCGsm/lGL7bcyxMUVVSOc kq5Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:date :message-id:subject:from:to:cc; bh=wm6MMtCPkCmBxwtyeako5qAnekhJMoAUYAEIPAtBUSs=; b=bzlPdoMTiNABbgmHqAPRNj6P7qVuQsv/X8fl8w8Bk1NwtiRQqDBOp+h5ouLpUFJobP 39ANdTf6POcC58FnBaCqQcZowCWN3GnEusC+mfFSqZCYnaHwUfV8OjEeTFBcr8YYdQC2 pRUGUV9wZ5KnSLRwxP/tJ5SveFfB+DC8RbgjmxxJpvum7vE9lrZm+fa1PKtRv0cmButS MT1VArr+T1YFMGwMNe2wLlFheDgtZqFAObqkurITDSYZeZvzMoAZiJmH1yF7sB7CyrEF gVoTdtj98isClrim3n4x1YZEjULYEjZ4N/MpInJCCH2oIxLOCE88ipuuKcZPDGS85Kov YTiw==
X-Gm-Message-State: AD7BkJJMJ9tLsEEGnrUQnj9dUsGG32WReuOsKQYPkxthVI+OHgNTDFnR7wSV3yDMS++8vajEp66kKmB+R+WFrw==
MIME-Version: 1.0
X-Received: by 10.107.10.87 with SMTP id u84mr18092669ioi.188.1460296026598; Sun, 10 Apr 2016 06:47:06 -0700 (PDT)
Sender: phluid61@gmail.com
Received: by 10.107.166.78 with HTTP; Sun, 10 Apr 2016 06:47:06 -0700 (PDT)
Received: by 10.107.166.78 with HTTP; Sun, 10 Apr 2016 06:47:06 -0700 (PDT)
In-Reply-To: <CAPofZaHQFtyW06-R44O7YzuDjU5v2Ekdc+1o8TvVkdVgrctegQ@mail.gmail.com>
References: <CAPofZaEG3gm79CznQuB8RdZb6hXYV7ZiBNTwYj=autVP1=_Cng@mail.gmail.com> <CABkgnnUr4bif_sLGYWq2CWEcZFzucjapjghF9E4HjnTvVGGfXw@mail.gmail.com> <CAPofZaEzobDStP9Pm2kSBZOMmmziu5N8bkALvb++ETdnva0K3A@mail.gmail.com> <CACweHNBoAOX4mWjyeAw7QWmsdb=zGVkx4-t2ftpcLzZg6k1sGg@mail.gmail.com> <CAPofZaHQFtyW06-R44O7YzuDjU5v2Ekdc+1o8TvVkdVgrctegQ@mail.gmail.com>
Date: Sun, 10 Apr 2016 23:47:06 +1000
X-Google-Sender-Auth: LKlqcJe1ZxsjohicXR8dU3jrATU
Message-ID: <CACweHNBeLa4-UVJmPiSaE+BiOWFnqTHkJe6qkZa2CmkNoTXL3w@mail.gmail.com>
From: Matthew Kerwin <matthew@kerwin.net.au>
To: Phil Lello <phil@dunlop-lello.uk>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: multipart/alternative; boundary="001a113f9b42eeb146053021a9d3"
Received-SPF: pass client-ip=209.85.223.175; envelope-from=phluid61@gmail.com; helo=mail-io0-f175.google.com
X-W3C-Hub-Spam-Status: No, score=-5.1
X-W3C-Hub-Spam-Report: AWL=-0.783, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: lisa.w3.org 1apFi8-00031c-RU 33c33ce11864c6ef884290bb3e81a1b0
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Alt-Svc Privacy Concerns
Archived-At: <http://www.w3.org/mid/CACweHNBeLa4-UVJmPiSaE+BiOWFnqTHkJe6qkZa2CmkNoTXL3w@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/31411
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On 10/04/2016 9:06 PM, "Phil Lello" <phil@dunlop-lello.uk> wrote:
>
> On Sun, Apr 10, 2016 at 5:47 AM, Matthew Kerwin <matthew@kerwin.net.au>
wrote:
>>
>>
>> This sounds like a UX thing -- incognito sessions oughtn't reuse
connections for different URI hostnames, even if the alt-svcs point to the
same name. The consent, then, is not being incognito.
>
>
> The primary justification I've read (both on IETF lists and industry
forums) for TLS-by-default and retiring HTTP-over-TCP boils down to not
trusting users to make security decisions for themselves. I don't see why
an inconsistent philosophy should be taken here.
>
> Given the history and motivation for the 2011 EU Directive on cookies, I
don't think that would be viewed as sufficient consent, and this could be
interpreted as bypassing the intent of the law (but let's not engage in too
much debate here, that's a job for the law makers).
>

If service providers want to cover their butts, can't they add an "EU
cookie law"-like banner that says, "We'll also do this thing, which could
leak personal info this way. Click this X to opt out" and then not send the
alt-svc stuff? The onus is on them not to stalk us, after all.

At least that way alt-svc is no worse than cookies, even if it's no better.

>>
>> Is it worth documenting this risk/advice somewhere, or is it already
self-evident?
>
> Given previous IETF standards and subsequent abuses (going back at 1981's
RFC 791 and Strict Source Routing), I don't think self-evident is good
enough.
>
> IMHO, the UX aspects need documenting, for the following reasons:
>
>  - It is presumably intended that the server certificate for the Alt-Svc
is matched on Host and not Alt-Svc
>  - It is reasonable to assume that with Alt-Svc, a user agent will
continue to display the original URI to avoid confusion (and because
correctly displaying both Alt-Used and Host in the URI would be ugly and
confusing).
>  - When viewing the certificate for a resource, the user agent needs to
choose between the chain for the Alt-Svc, which won't necessarily match the
original URI, the chain for the original URI, which misrepresents the
source of the information, or both chains, which will require further user
education.
>

I don't understand the third point... The cert for the alt-svc wouldn't be
any different than if the URI hostname was a CNAME pointing at the alt-svc
address, which serves a cert with a SAN for the original URI hostname. Or
am I misunderstanding how you verify that the alt-svc is a valid origin for
the URI?

It's not like receiving an alt-svc frame/header causes the client to
redirect the current request (does it?) -- it comes into play on subsequent
requests. Since by the time you hit the alt-svc there's no "original URI"
connection, there's no "original URI chain" per se.

>
> There appears to be a conflict when using Alt-Svc over TLS between
keeping information secret and respecting user privacy. Given that the IETF
has adopted a position on the former, it seems essential to adopt one on
the latter.

I don't follow; however...

The bigger conflict as I see it is between speed and privacy. Spinning up a
TCP connection across the world is slow enough, adding TLS just makes it
that much worse -- if you can reuse an existing tube you can save all of
that lost time. The cost, then, is that the server at the far end of that
tube knows for sure that the client at the near end is the same client for
both requests down that tube, which it might not otherwise know. It doesn't
know that the client is a single UA (or a single human) though; it might be
a gateway/proxy of some sort.

So the choice we offer to users is: maybe announce that you're one person
across multiple requests vs. maybe watch cat gifs sooner. We already
provide a similar choice: maybe announce that you're one person across
multiple requests vs. be able to use online services the way they're
written across sessions. (I.e. incognito vs. not). "Incognito" means
"privacy", so why not include this under that?

v2.23.0 | Report a Bug | By Email