Re: 2 questions
"Adrien de Croy" <adrien@qbik.com> Tue, 31 March 2015 20:55 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8F0D81ACEDF for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 31 Mar 2015 13:55:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.912
X-Spam-Level:
X-Spam-Status: No, score=-6.912 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gLvjrnYc51fL for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 31 Mar 2015 13:55:10 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 701181ACEE5 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Tue, 31 Mar 2015 13:55:10 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1Yd37W-0002lG-Ns for ietf-http-wg-dist@listhub.w3.org; Tue, 31 Mar 2015 20:50:46 +0000
Resent-Date: Tue, 31 Mar 2015 20:50:46 +0000
Resent-Message-Id: <E1Yd37W-0002lG-Ns@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.80) (envelope-from <adrien@qbik.com>) id 1Yd37P-0002kQ-88 for ietf-http-wg@listhub.w3.org; Tue, 31 Mar 2015 20:50:39 +0000
Received: from smtp.qbik.com ([122.56.26.1]) by lisa.w3.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.72) (envelope-from <adrien@qbik.com>) id 1Yd37N-0002qL-9o for ietf-http-wg@w3.org; Tue, 31 Mar 2015 20:50:39 +0000
Received: From [192.168.1.146] (unverified [192.168.1.146]) by SMTP Server [192.168.1.3] (WinGate SMTP Receiver v8.3.2 (Build 4772)) with SMTP id <0000307920@smtp.qbik.com>; Wed, 01 Apr 2015 09:49:02 +1300
From: Adrien de Croy <adrien@qbik.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, Xiaoyin Liu <xiaoyin.l@outlook.com>, Dan Anderson <dan-anderson@cox.net>, "Walter H." <walter.h@mathemainzel.info>
Cc: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Date: Tue, 31 Mar 2015 20:49:02 +0000
Message-Id: <emb9aea729-e991-4f83-bd83-960342d99b87@bodybag>
In-Reply-To: <5519F1A7.8090900@cs.tcd.ie>
Reply-To: Adrien de Croy <adrien@qbik.com>
User-Agent: eM_Client/6.0.21372.0
Mime-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass client-ip=122.56.26.1; envelope-from=adrien@qbik.com; helo=smtp.qbik.com
X-W3C-Hub-Spam-Status: No, score=-4.2
X-W3C-Hub-Spam-Report: AWL=-0.241, BAYES_00=-1.9, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: lisa.w3.org 1Yd37N-0002qL-9o 5050472fcef082d4c8526b327642e7e5
X-Original-To: ietf-http-wg@w3.org
Subject: Re: 2 questions
Archived-At: <http://www.w3.org/mid/emb9aea729-e991-4f83-bd83-960342d99b87@bodybag>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/29138
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
It's great people are doing work in that area and thanks for posting that link. However I don't know it the conclusion can follow that it's completely bogus to consider the impact of MitM at all and if not now then for all time (I know this wasn't your exact claim). Even the study remarked they got double the result of a previous study. That could be down to better testing, and/or growth in use of MitM in the intervening time period. Without the source to their flash app, it's hard to tell whether there were any issues with the validity of the testing. Also it's hard to know from a google adwords campaign whether you are getting skewed results for instance where there are proxies configured on a whitelist basis (there are many of these) that prevent access to the test site. So I believe the number reported will be on the low side. How much lower than real is for anyone to guess. As to where to draw the line where we consider something to be insignificant or not, is 1% insignificant? 2%? I know the use of MitM is growing (at least in our customer-base). Sure some may be abandoning it, but I'm not really seeing any evidence of that. So maybe in a couple years it could be much higher than 0.41%, and for corporate users I'm certain it is much higher. I don't see the same incentives for ISPs to deploy MitM and there are bigger issues like convincing people to install root certs, which corporate environments don't suffer the same from. So whilst very interesting, I don't know if we can really draw too much from this study alone. It would be very interesting to see the results redone at say yearly intervals. Adrien ------ Original Message ------ From: "Stephen Farrell" <stephen.farrell@cs.tcd.ie> To: "Adrien de Croy" <adrien@qbik.com>; "Xiaoyin Liu" <xiaoyin.l@outlook.com>; "Dan Anderson" <dan-anderson@cox.net>; "Walter H." <walter.h@mathemainzel.info> Cc: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org> Sent: 31/03/2015 2:00:23 p.m. Subject: Re: 2 questions > > >On 31/03/15 01:07, Adrien de Croy wrote: >> >> With MitM all bets are off > >Seems to me that claims of the prevalence of MitM are >somewhat exaggerated. The last study I recall of those >in the wild found about 0.41% of requests affected. [1] > >So I think any argument of the form "don't do X to try >be more secure or private, since the prevalence of MitM >implies X is pointless" ought be considered bogus at the >~99.5% confidence level, at least according to [1]. > >I also note that [1] found that those few unfortunate >victims of the MitM attack are terribly served between UA >and MitM as they saw a bunch of short RSA keys (with no PFS) >used. And one would expect that to be the case as a supposedly >"benevolent" MitM will generally decide to prefer crap >security so that their always-negative performance impact >is minimised. (Seeing commensurate security on both sides >of the MitM might even be considered as indicative that >the MitM is more likely malicious and not benevolent? I've >not seen that measurement so far as I recall, so I'm just >speculating there.) > >Are there better studies out there with better figures? > >If not and 0.41% of crappy security that you get with real >deployments of MitM's is the norm, then we ought be more than >ignoring the MitM deployments - we all (and browsers!) should >be yelling loudly about 'em as we trip over their victims. > >Cheers, >S. > >[1] http://arxiv.org/abs/1407.7146 >
- 2 questions Glen
- Re: 2 questions Yoav Nir
- Re: 2 questions Cory Benfield
- Re: 2 questions Constantine A. Murenin
- Re: 2 questions Matthew Kerwin
- Re: 2 questions Walter H.
- Re: 2 questions Walter H.
- RE: 2 questions Mike Bishop
- Re: 2 questions Adrien de Croy
- Re: 2 questions Cory Benfield
- Re: 2 questions Amos Jeffries
- Re: 2 questions Amos Jeffries
- Re: 2 questions Cory Benfield
- Re: 2 questions Adrien de Croy
- Re: 2 questions Yoav Nir
- Re: 2 questions Roland Zink
- Re: 2 questions Martin Thomson
- Re: 2 questions Walter H.
- Re: 2 questions Walter H.
- Re: [Moderator Action] 2 questions Glen
- Re: 2 questions Dan Anderson
- Re: 2 questions Adrien de Croy
- RE: 2 questions Xiaoyin Liu
- Re: 2 questions Adrien de Croy
- Re: 2 questions Stephen Farrell
- comprehensive TLS is not the solution, it's a bug… Walter H.
- Re: comprehensive TLS is not the solution, it's a… Walter H.
- Re: 2 questions Eric J. Bowman
- Re: comprehensive TLS is not the solution, it's a… Amos Jeffries
- Re: comprehensive TLS is not the solution, it's a… Willy Tarreau
- Re: comprehensive TLS is not the solution, it's a… Walter H.
- Re: comprehensive TLS is not the solution, it's a… Walter H.
- Re: comprehensive TLS is not the solution, it's a… Willy Tarreau
- Re: comprehensive TLS is not the solution, it's a… Maxthon Chan
- Re: comprehensive TLS is not the solution, it's a… Roberto Peon
- Re: comprehensive TLS is not the solution, it's a… Walter H.
- Re: comprehensive TLS is not the solution, it's a… Maxthon Chan
- Re: comprehensive TLS is not the solution, it's a… Willy Tarreau
- Re: comprehensive TLS is not the solution, it's a… Maxthon Chan
- Re: 2 questions Adrien de Croy
- Re: 2 questions Stephen Farrell
- Re: comprehensive TLS is not the solution, it's a… Matthew Kerwin
- Re: comprehensive TLS is not the solution, it's a… Maxthon Chan
- Re: 2 questions Maxthon Chan
- RE: comprehensive TLS is not the solution, it's a… Mike Bishop
- Re: 2 questions Poul-Henning Kamp
- Re: comprehensive TLS is not the solution, it's a… ChanMaxthon
- Re: 2 questions Stephen Farrell
- Re: 2 questions Poul-Henning Kamp
- Re: 2 questions Stephen Farrell
- Re: comprehensive TLS is not the solution, it's a… Amos Jeffries
- Re: comprehensive TLS is not the solution, it's a… Amos Jeffries
- Re: 2 questions ChanMaxthon
- Re: 2 questions Amos Jeffries
- Re: 2 questions Yoav Nir
- Re: 2 questions Poul-Henning Kamp
- Re: 2 questions Maxthon Chan
- Re: 2 questions Simpson, Robby (GE Energy Management)
- Re: 2 questions Ted Hardie
- Re: 2 questions Jason T. Greene
- Re: 2 questions Benjamin Carlyle
- Re: 2 questions Martin Thomson
- Re: 2 questions OSCAR GONZALEZ DE DIOS
- Re: 2 questions Martin Thomson
- Re: 2 questions ChanMaxthon
- Re: 2 questions Glen
- Re: 2 questions Roland Zink
- Re: 2 questions Ilari Liusvaara
- Re: 2 questions Glen
- Re: 2 questions Jim Manico
- Re: 2 questions Yoav Nir
- Re: 2 questions Glen
- Re: 2 questions Glen
- Re: 2 questions Jim Manico
- Re: 2 questions Amos Jeffries
- Re: 2 questions Maxthon Chan
- Re: 2 questions Glen
- Re: 2 questions Glen
- Re: 2 questions Ilari Liusvaara
- Re: 2 questions Amos Jeffries
- Re: 2 questions Martin Thomson
- Re: 2 questions Yoav Nir
- Re: 2 questions Martin Thomson