RE: HTTP/2 and Pervasive Monitoring

"Albert Lunde" <atlunde@panix.com> Fri, 15 August 2014 13:11 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E82631A0A98 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 15 Aug 2014 06:11:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.97
X-Spam-Level:
X-Spam-Status: No, score=-6.97 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_72=0.6, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.668, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IAFp_pEnSqg9 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 15 Aug 2014 06:11:09 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3273D1A0A96 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Fri, 15 Aug 2014 06:11:09 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1XIHFR-0003oZ-Sj for ietf-http-wg-dist@listhub.w3.org; Fri, 15 Aug 2014 13:08:49 +0000
Resent-Date: Fri, 15 Aug 2014 13:08:49 +0000
Resent-Message-Id: <E1XIHFR-0003oZ-Sj@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <atlunde@panix.com>) id 1XIHF7-0003nm-DY for ietf-http-wg@listhub.w3.org; Fri, 15 Aug 2014 13:08:29 +0000
Received: from mailbackend.panix.com ([166.84.1.89]) by maggie.w3.org with esmtp (Exim 4.72) (envelope-from <atlunde@panix.com>) id 1XIHF6-00011f-SU for ietf-http-wg@w3.org; Fri, 15 Aug 2014 13:08:29 +0000
Received: from kuroneko (unknown [74.61.166.29]) by mailbackend.panix.com (Postfix) with ESMTP id 4E3BF2E63B; Fri, 15 Aug 2014 09:08:07 -0400 (EDT)
From: Albert Lunde <atlunde@panix.com>
To: ietf-http-wg@w3.org
References: <38BD57DB-98A9-4282-82DD-BB89F11F7C84@mnot.net> <4851.1408094168@critter.freebsd.dk> <EB5B7C64-165B-48F1-94FF-1354E917A10F@mnot.net> <op.xkmwanaliw9drz@riaa>
In-Reply-To: <op.xkmwanaliw9drz@riaa>
Date: Fri, 15 Aug 2014 08:08:08 -0500
Message-ID: <01c101cfb889$f7814bf0$e683e3d0$@panix.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQIv2mc5aOTP1P3/x50/UwgDJ0ZP/AH3xH5hAiVIKM8CGTbOjprfq0DQ
Content-Language: en-us
Received-SPF: pass client-ip=166.84.1.89; envelope-from=atlunde@panix.com; helo=mailbackend.panix.com
X-W3C-Hub-Spam-Status: No, score=-4.5
X-W3C-Hub-Spam-Report: AWL=-1.577, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.668, SPF_PASS=-0.001
X-W3C-Scan-Sig: maggie.w3.org 1XIHF6-00011f-SU 67328b579fb97099f0dbf2eb935d91c3
X-Original-To: ietf-http-wg@w3.org
Subject: RE: HTTP/2 and Pervasive Monitoring
Archived-At: <http://www.w3.org/mid/01c101cfb889$f7814bf0$e683e3d0$@panix.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/26615
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

>What you can do in an MITM scenario isn't really relevant to PM. It's still harder to MITM weak TLS than clear text.
>
>I think it is more worrisome having the weak ciphers in there at all, as it opens up for bad configurations and downgrade attacks of https connections.

Outside the realm of standards, the print edition of "Bulletproof SSL and TLS: Understanding and Deploying SSL/TLS and PKI to Secure Servers and Web Applications" by Ivan Ristic just shipped(as in I expect to get a copy from Amazon later today) The chapter on OpenSSL has been available for a while, and helped me with some recent issues.