IETF Logo Mail Archive

Re: Privacy difficulties in Blind Caching and OOB encoding

Jeffrey Yasskin <jyasskin@google.com> Fri, 04 August 2017 17:19 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D695B13242C for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 4 Aug 2017 10:19:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.501
X-Spam-Level:
X-Spam-Status: No, score=-6.501 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_SORBS_SPAM=0.5, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aChsAL3LdpCg for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 4 Aug 2017 10:19:32 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1665D132424 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Fri, 4 Aug 2017 10:19:30 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.89) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1ddgDN-00078G-RL for ietf-http-wg-dist@listhub.w3.org; Fri, 04 Aug 2017 17:16:45 +0000
Resent-Date: Fri, 04 Aug 2017 17:16:45 +0000
Resent-Message-Id: <E1ddgDN-00078G-RL@frink.w3.org>
Received: from mimas.w3.org ([128.30.52.79]) by frink.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from <jyasskin@google.com>) id 1ddgDC-00077M-R7 for ietf-http-wg@listhub.w3.org; Fri, 04 Aug 2017 17:16:34 +0000
Received: from mail-wm0-f42.google.com ([74.125.82.42]) by mimas.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.89) (envelope-from <jyasskin@google.com>) id 1ddgDB-00023o-0G for ietf-http-wg@w3.org; Fri, 04 Aug 2017 17:16:34 +0000
Received: by mail-wm0-f42.google.com with SMTP id m85so24969037wma.1 for <ietf-http-wg@w3.org>; Fri, 04 Aug 2017 10:16:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=EHEkMcT1nVOAiLW5d9dURned1g2eqfjq2/N0tz1qORk=; b=CLO+kA2ovSaMHrFkGTLgyrloJQLo9hwIHFLLkvUubw077rtr9KJELush0ToPqcxVOG PUPgJAyhIHDgCuQe+LlR5g41lEGSsZk1jxYJR6pCavN95hgsCIJhL8HUN3NkQc6zCjBr ctGiw3f04UC5+mcRGOu+/lPcDJsC67xJ69j7tKqQsNKs8I9R3XF32Nb0UkJ4CX7QBkXR p0YhhjuuEiRrE2blYNIulgu9tA9kqx25a1xnAwepSbN0Hrq4/afAkiCrchYxq/wtRiyw SJg7yT5/3/xtRsMzp8bfmcgmN3gZh8Ds5vNjpfzSCxmwU+EXbuuM9irLdVzK8kAVbZ50 l7mQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=EHEkMcT1nVOAiLW5d9dURned1g2eqfjq2/N0tz1qORk=; b=mCJlJw+Qn1hlqc3i3mZ+y0M0OvQt/At+krJSHNBRtP04k+IRE5DkG/LYhSvXCCYiE+ RE7qv5tfpFPZl5aFHn0vVqlEtHAj9g40sfpkW3xQmJqzClHeSTNjhiXY3mv/IpSd+eHb foYSLHbCYfZnPX1EceEDGfYLyvT9CalhXL0s7PO43Dc3Py/82JofrUdQ0NZeAId2N2Xt 0Y09e1AYPkSNU4sMOIgFeosgs7N3eSON5u+j7ymzUOm9liL25L6vYY4OAOkJi6PfGNNO PoF59Qz2Xrp6KYK+Jc2gp/EVA3p7cK4eptM3Rj3cVGUtisTV5Xt9uWj2MCAh24Jz0rYL VcVw==
X-Gm-Message-State: AHYfb5jXmeBcleD9nIV+YWxD+9LDYcCE+Uqg7WG+8ug37DaLizHIt+Xh UjGcXTW49axUT35nhZbvv7WKoEhkdcC6wxI=
X-Received: by 10.28.221.137 with SMTP id u131mr1837811wmg.19.1501866971058; Fri, 04 Aug 2017 10:16:11 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.28.216.144 with HTTP; Fri, 4 Aug 2017 10:15:50 -0700 (PDT)
In-Reply-To: <CABkgnnXKD0nG5+09u10AOy0X+sc-+egu1Cgq_U1d0r4VCN560A@mail.gmail.com>
References: <CANh-dXmCDMSpzoUzxZudaTG_MTcR9vwSv4qPknjeRfD01J=Zeg@mail.gmail.com> <CABkgnnXKD0nG5+09u10AOy0X+sc-+egu1Cgq_U1d0r4VCN560A@mail.gmail.com>
From: Jeffrey Yasskin <jyasskin@google.com>
Date: Fri, 04 Aug 2017 10:15:50 -0700
Message-ID: <CANh-dXmqqDT7EydRLDanjbsbGq9ToM2PeF_Vt29eks+uj-LwXg@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: text/plain; charset="UTF-8"
Received-SPF: pass client-ip=74.125.82.42; envelope-from=jyasskin@google.com; helo=mail-wm0-f42.google.com
X-W3C-Hub-Spam-Status: No, score=-4.9
X-W3C-Hub-Spam-Report: AWL=3.659, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_SORBS_SPAM=0.5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_IRR=-3, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1ddgDB-00023o-0G bbe739a1ad91d5b732d15f6dbe3fe222
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Privacy difficulties in Blind Caching and OOB encoding
Archived-At: <http://www.w3.org/mid/CANh-dXmqqDT7EydRLDanjbsbGq9ToM2PeF_Vt29eks+uj-LwXg@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/34282
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Thanks, it's good to know I didn't miss anything.

I'm thinking about this in order to re-use as much of your work as
possible in the eventual web packaging proposal. My guess for that is
that simply omitting encryption support will make it more obvious to
folks that there are lots of limitations on what secrets we can keep
from the intermediates. Does that sound plausible?

Integrity support via SRI, MICE, or a signature is still very
important, of course.

We do lose support for the case where it's fine for the intermediate
to correlate users but not ok to expose the actual bytes. Since we
keep being surprised by how much information metadata gives away, my
instinct is that this isn't a big enough space to be worth the risk;
but I'm curious if you have use cases where it is important and it's
clear that users will understand what they're exposing?

Thanks,
Jeffrey

On Thu, Aug 3, 2017 at 4:38 PM, Martin Thomson <martin.thomson@gmail.com> wrote:
> Hi Jeffrey,
>
> You have summarized the issues that caused us to largely abandon this
> work.  In terms of privacy, it's an increase from what traffic
> analysis would expose.  The hope was that this could be valuable in
> cases where you were prepared to expose resource identity to a cache,
> but not give it the ability to modify it, or give it control over
> meta-information.
>
> On 4 August 2017 at 04:55, Jeffrey Yasskin <jyasskin@google.com> wrote:
>> I was reading draft-thomson-http-bc-01,
>> draft-reschke-http-oob-encoding-12, and some of their dependencies,
>> and I'm having trouble finding the plan for getting caches to actually
>> speed things up while at the same time preventing caches from learning
>> important information about the content their clients are
>> transferring.
>>
>> The core idea of the out-of-band encoding, as described in the drafts
>> and [ERICSSON], is that the origin server can delegate content
>> transmission to an edge cache to which the client has a faster
>> connection than it has to the origin.
>>
>> When we account for the origin->cache transmission, this should be
>> slower for the first client and significantly faster for all
>> subsequent clients. That is, more than one client MUST be able to use
>> the same resource bytes, which means, if they're encrypted
>> ([RFC8188]), that all clients must get the same key to decrypt them.
>> That has several implications:
>>
>> 1) For public resources, the cache can trivially figure out what
>> content clients are retrieving, by pretending to be a client itself to
>> get the decryption keys. This is an important decrease in privacy
>> compared to TLS, but I don't see it mentioned in [BC]. It seems to
>> conflict with calling the caching "blind".
>>
>> 2) For secret resources, the cache may not be able to authenticate
>> sufficiently to retrieve decryption keys, but it can still trivially
>> figure out that multiple clients are retrieving the same resource.
>> This metadata is another decrease in privacy compared to TLS.
>>
>> 3) [OOB] and [SCD] both mention a forgery risk and sketch some
>> mitigations around [SIG] and [MICE], but that's less relevant for this
>> email.
>>
>> Have I missed anything in the documents or the design that hides more
>> information from the caches?
>>
>> Thanks,
>> Jeffrey
>>
>> [BC] https://tools.ietf.org/html/draft-thomson-http-bc-01
>> [OOB] https://tools.ietf.org/html/draft-reschke-http-oob-encoding-12
>> [SCD] https://tools.ietf.org/html/draft-thomson-http-scd-02
>> [ERICSSON] https://www.ericsson.com/en/publications/ericsson-technology-review/archive/2016/blind-cache-a-solution-to-content-delivery-challenges-in-an-all-encrypted-web
>> [RFC8188] https://tools.ietf.org/html/rfc8188
>> [SIG] https://tools.ietf.org/html/draft-thomson-http-content-signature-00
>> [MICE] https://tools.ietf.org/html/draft-thomson-http-mice-02
>>

v2.23.0 | Report a Bug | By Email