Re: Alt-Svc Privacy Concerns
Phil Lello <phil@dunlop-lello.uk> Sun, 10 April 2016 20:38 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B4E1E12D63C for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 10 Apr 2016 13:38:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.916
X-Spam-Level:
X-Spam-Status: No, score=-7.916 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.996, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=dunlop-lello-uk.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1QZo2JT_XaHk for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 10 Apr 2016 13:38:43 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B77EF12D63B for <httpbisa-archive-bis2Juki@lists.ietf.org>; Sun, 10 Apr 2016 13:38:43 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1apM3M-0000b1-VP for ietf-http-wg-dist@listhub.w3.org; Sun, 10 Apr 2016 20:33:53 +0000
Resent-Date: Sun, 10 Apr 2016 20:33:52 +0000
Resent-Message-Id: <E1apM3M-0000b1-VP@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <phil@dunlop-lello.uk>) id 1apM3I-0000aA-Gi for ietf-http-wg@listhub.w3.org; Sun, 10 Apr 2016 20:33:48 +0000
Received: from mail-lf0-f52.google.com ([209.85.215.52]) by lisa.w3.org with esmtps (TLS1.2:RSA_ARCFOUR_SHA1:128) (Exim 4.80) (envelope-from <phil@dunlop-lello.uk>) id 1apM3F-0006FD-Gh for ietf-http-wg@w3.org; Sun, 10 Apr 2016 20:33:47 +0000
Received: by mail-lf0-f52.google.com with SMTP id g184so132724129lfb.3 for <ietf-http-wg@w3.org>; Sun, 10 Apr 2016 13:33:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dunlop-lello-uk.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=nADYHjgSun+tu23FX0xmLUqRyj3Xqsrk+e4Tt8g3kJA=; b=dFOh5zBlWScBFtnfSo/9PukI3FfVwbOY36ls8GMCtwlqc62OgkQd3Z5XKcOMw6zy/s cjLFkKiakgiGE2s85GU+Ab2+KYL2tNxGOMzovpiF3Cbyq6Rg5eFaIChkg5ii3duJh5Br ifeLzoGLse1DyzTeCHKF7YEgzpTblMwqApuRZq4wagNAxuPqqDtuMojWbHlgncMVG4u+ +5wqlvuB/HtDNP4dzfsWkpoccncEZjXgUS+nzXPOxXS1DclSB1uUW66xI/qzEY9G8s3n CpITPGCaC46+/rUOthi2aDGohpU35/HwGGQpHPIRqX38zWHLmjQp9n1WHGMkFy5SaZ6o lxtg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=nADYHjgSun+tu23FX0xmLUqRyj3Xqsrk+e4Tt8g3kJA=; b=jYU6bA+s3b6WZKy0BmSr29X2hFNCEB+qMsWqLQVIg98xOdtLpgWnfDm8eOcWMXZMzF MJVmte6N2B35oTtcj6nOl3vakXdeEwPs70T/p3sci+6mcS3tiW0NvnG2KsTuLOYja+Uq l0La22HUu4/QqruXx5mg7xNMcQD9s0Q7sp53oBwUMB2E+1re7mr1pJk3gUQ4rB9oHrv3 P/PhGGRQXfjrE6SVK8lP5S3kV7UtecHszJhUMrLglDi6FvcnjcQXVbQ4UtZBo0XDo5lM 7mmV/rAqkRASAptBEBx9KDRz12/wX9LazuUMKRyk8lBfmIA6uWMfGkGcLmvsSMNZY4oN sp4Q==
X-Gm-Message-State: AD7BkJLIYc9vR9P0UDJRcCrzEMlUw2p/qmM4wSl5waHIQvz0vXcoW4vjI6npaGst2Vjop3wtkOuMqYE1zM5JV+O9
MIME-Version: 1.0
X-Received: by 10.25.7.4 with SMTP id 4mr7198852lfh.147.1460320398502; Sun, 10 Apr 2016 13:33:18 -0700 (PDT)
Received: by 10.25.27.16 with HTTP; Sun, 10 Apr 2016 13:33:18 -0700 (PDT)
In-Reply-To: <CAKC-DJgcQuW709jkEA54EJc8dnKiZtuxDC9E530Odrk_S-Ukcg@mail.gmail.com>
References: <CAPofZaEG3gm79CznQuB8RdZb6hXYV7ZiBNTwYj=autVP1=_Cng@mail.gmail.com> <CAKC-DJgcQuW709jkEA54EJc8dnKiZtuxDC9E530Odrk_S-Ukcg@mail.gmail.com>
Date: Sun, 10 Apr 2016 21:33:18 +0100
Message-ID: <CAPofZaEjsKcGJqAdiPPFU3d5-8Y7dLJVe4MZBsq6xqUhF3g=wg@mail.gmail.com>
From: Phil Lello <phil@dunlop-lello.uk>
To: Erik Nygren <erik@nygren.org>
Cc: Ryan Hamilton <rch@google.com>, Patrick McManus <mcmanus@ducksong.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Content-Type: multipart/alternative; boundary="001a113ea9ce9c8fc2053027561b"
Received-SPF: none client-ip=209.85.215.52; envelope-from=phil@dunlop-lello.uk; helo=mail-lf0-f52.google.com
X-W3C-Hub-Spam-Status: No, score=-5.0
X-W3C-Hub-Spam-Report: AWL=-0.383, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: lisa.w3.org 1apM3F-0006FD-Gh 94795db944117840ed60e711bb025f71
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Alt-Svc Privacy Concerns
Archived-At: <http://www.w3.org/mid/CAPofZaEjsKcGJqAdiPPFU3d5-8Y7dLJVe4MZBsq6xqUhF3g=wg@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/31414
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
On Sun, Apr 10, 2016 at 8:00 PM, Erik Nygren <erik@nygren.org> wrote: > On Sat, Apr 9, 2016 at 1:41 PM, Phil Lello <phil@dunlop-lello.uk> wrote: > >> I'm concerned that Alt-Svc, especially used like this, is re-introducing >> the sort of privacy issues people have been trying to eliminate with >> cookies for years. Appologies if this has already been discussed and I >> missed it. >> > > I don't see the issue here really being with Alt-Svc. Rather, this is > another issue/risk with consolidating requests for multiple origins onto a > single TLS connection that has a valid cert for all of the origins. (I > don't think this was on my list in the slides in B.A. in discussion of the > ORIGIN frame and related topics, but is certainly in that class I'd > issues.) > > I'm not sure I see how Alt-Svc actually makes this worse by itself. I do > agree that when we look at the proposal for adding additional allowed > server certs to a connection that this will certainly be something we'll > want to discuss in more detail (although that is also orthogonal from > Alt-Svc). > > You may be right that the real issue is more widespread and affects re-using the connection for multiple origins in general; I was thinking about Alt-Svc when this attack vector occured to me. It's the stealth factor of the Alt-Svc redirection that troubles me, but I suppose it's no more inherently risky than aggregation when two or more servers resolve to the same IP. That said, it's more complex to casually detect, as a quick dig/nslookup will show if two server names are pointing to the same destination; with Alt-Svc it becomes necessary to make an HTTPS request, inspect headers, then check the IP addresses. I have similar stealth concerns about the ORIGIN frame, since by potentially eliminating DNS lookups it adds to the complexity of auditing which services information is potentially shared across (e.g. if tabs to a.com, b.com are open and using two connections, and a new tab opened to c.com reuses a connection, is the data available to a.com or b.com?). > A general point (which goes as much to UI behavior as anything) is that > the Secure Connection Info tab in many browsers only shows the CN and > buries the SANs below what users might normally see. (And even in today's > world, resources embedded in pages are also typically not something users > see and provide many opportunities for active linking of users, such as > through URIs.) > Yes, I agree we've already got lots of attack vectors for tracking users without consent, and that's something the industry needs to work on eliminating, both via the IETF and the W3C. However, UI/UX guidance for how and when to display certificate chains and related warnings feels like the IETF's domain to me, since it's the IETF providing the transport protocol(s).
- Alt-Svc Privacy Concerns Phil Lello
- Re: Alt-Svc Privacy Concerns Martin Thomson
- Re: Alt-Svc Privacy Concerns Phil Lello
- Re: Alt-Svc Privacy Concerns Ryan Hamilton
- Re: Alt-Svc Privacy Concerns Matthew Kerwin
- Re: Alt-Svc Privacy Concerns Phil Lello
- Re: Alt-Svc Privacy Concerns Phil Lello
- Re: Alt-Svc Privacy Concerns Matthew Kerwin
- Re: Alt-Svc Privacy Concerns Phil Lello
- Re: Alt-Svc Privacy Concerns Erik Nygren
- Re: Alt-Svc Privacy Concerns Phil Lello
- Re: Alt-Svc Privacy Concerns Mark Nottingham
- Re: Alt-Svc Privacy Concerns Phil Lello