Re: HTTP/2 and Pervasive Monitoring
Erik Nygren <erik@nygren.org> Fri, 15 August 2014 14:43 UTC
Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B9F21A8A82 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 15 Aug 2014 07:43:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.347
X-Spam-Level:
X-Spam-Status: No, score=-6.347 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, J_CHICKENPOX_84=0.6, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.668, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U1qe1hTmIxRq for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 15 Aug 2014 07:43:37 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D2DA21A8A6D for <httpbisa-archive-bis2Juki@lists.ietf.org>; Fri, 15 Aug 2014 07:43:36 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1XIIgI-0005ML-Ia for ietf-http-wg-dist@listhub.w3.org; Fri, 15 Aug 2014 14:40:38 +0000
Resent-Date: Fri, 15 Aug 2014 14:40:38 +0000
Resent-Message-Id: <E1XIIgI-0005ML-Ia@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <nygren@gmail.com>) id 1XIIfs-0005LU-Tf for ietf-http-wg@listhub.w3.org; Fri, 15 Aug 2014 14:40:12 +0000
Received: from mail-vc0-f176.google.com ([209.85.220.176]) by maggie.w3.org with esmtps (TLS1.0:RSA_ARCFOUR_SHA1:16) (Exim 4.72) (envelope-from <nygren@gmail.com>) id 1XIIfr-0000Lk-RV for ietf-http-wg@w3.org; Fri, 15 Aug 2014 14:40:12 +0000
Received: by mail-vc0-f176.google.com with SMTP id id10so2986979vcb.21 for <ietf-http-wg@w3.org>; Fri, 15 Aug 2014 07:39:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=c/KvaaDw4uEbrfSgR2Bg8Tfri/85I68wykifGAEnpSc=; b=o/RVA9gWA8lMXwFXCwR+ZcKF0YE/FB9OjEcgSwjLw/GOAE6G9E7D2Hgq4mx6dQ6cFa PlOT8fQdWj+84s1MH/R9HYotDAl6B0cIh1qjHOj7dmGOxPqg0XW3lE0lg6bBmQrlSzi/ 8aKnbnSU4wMQUnD/OMk7iLnDrEgXcFBsFBA9Gx6MKWKY9sAX6R6zFilHZj5Gz5u9qQNx YUVBir8Stdd5Wmk1Gf/lgrdYxyAPF0RwV3setmT96ZndK6YC4TM5PGmY0xEHcLx4zZst wbUFOYDbOBnXhDuH6h4D9IgtbbbTTJdjNzJW/AjTBsLSH9P9R2Ta0EDg0DJ4PJYun17u 6QoQ==
MIME-Version: 1.0
X-Received: by 10.220.74.195 with SMTP id v3mr10489053vcj.23.1408113585865; Fri, 15 Aug 2014 07:39:45 -0700 (PDT)
Sender: nygren@gmail.com
Received: by 10.221.11.16 with HTTP; Fri, 15 Aug 2014 07:39:45 -0700 (PDT)
In-Reply-To: <4851.1408094168@critter.freebsd.dk>
References: <38BD57DB-98A9-4282-82DD-BB89F11F7C84@mnot.net> <4851.1408094168@critter.freebsd.dk>
Date: Fri, 15 Aug 2014 10:39:45 -0400
X-Google-Sender-Auth: 7Epge0ec7F8C9hig4-5q_S0wrks
Message-ID: <CAKC-DJjFk9==Y4ayn=A-fZBaEt-G_+n=XQ9B8rKqWaT-LQh3vQ@mail.gmail.com>
From: Erik Nygren <erik@nygren.org>
To: Poul-Henning Kamp <phk@phk.freebsd.dk>
Cc: Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: multipart/alternative; boundary="089e01634bf016c7b60500abfe62"
Received-SPF: pass client-ip=209.85.220.176; envelope-from=nygren@gmail.com; helo=mail-vc0-f176.google.com
X-W3C-Hub-Spam-Status: No, score=-3.5
X-W3C-Hub-Spam-Report: AWL=-2.763, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001
X-W3C-Scan-Sig: maggie.w3.org 1XIIfr-0000Lk-RV cdd21a5eb7a127b0dd40b61c6cd3708f
X-Original-To: ietf-http-wg@w3.org
Subject: Re: HTTP/2 and Pervasive Monitoring
Archived-At: <http://www.w3.org/mid/CAKC-DJjFk9==Y4ayn=A-fZBaEt-G_+n=XQ9B8rKqWaT-LQh3vQ@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/26617
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
A number of comments on this topic based on some discussions I've had over the past few weeks: OppSec as deployment vehicle or for security -------------------------------------------- Using http:// scheme URIs over TLS for HTTP/2 should be thought of as firstly as a stop-gap deployment vehicle for HTTP/2 to get past broken middle boxes without requiring application-side changes to immediately move to https scheme. The OppSec side-effects of this have a nice secondary benefit for raising the bar to PM, but there are significant concerns that there are enough active attacks already today that this may provide a misleading false sense of security. On a related note, even having the word "security" here has the risk that people will misunderstand it to unfortunate results. (I live in fear of reading some marketing copy along the lines of "Opportunistic Security adds extra bonus value because it takes full advantage of Opportunities to give you even more security than you got previously with that older 'Real Security'." --- or something similarly misleading and scary.) On transitions and fallbacks ---------------------------- While this OppSec model also makes it straight-forward for a large hosting provider or CDN to immediately deploy HTTP/2 for http-scheme-over-TLS without application changes or needing to manage per-customer certificates, we don't have terribly good models here to make a smoother transition. Transitioning from OppSec unauthenticated http-over-TLS to HTTPS has a reasonable story: provision a real certificate, 301 redirect to https, then start using HSTS or similar. However we don't have a story in the current draft for transitioning from OppSec unauthenticated http-over-TLS to authenticated http-over-TLS in an operationally supportable manner. When a server returns: Alt-Svc: "h2"=443 it has no idea whether or not the client is going to try and validate the certificate and what it will do if it will fail. One possibility would be to do something like: Alt-Svc: "h2"=443; validate=pkix but this is sent over cleartext. This could be useful, however, such that if browsers are going to require cert validation they could know NOT to follow the AltSvc if that "validate=pkix" isn't present. An unfortunate side-effect here is that active MitM could easily strip out that text. Another unfortunate side-effect of this Alt-Svc OppSec model in general is that it has some of the same unfortunate incentives when certificate validation fails as STARTTLS has within SMTP where many clients fall back to using cleartext http/1.1 instead of unauthenticated encryption. Saying "let's not implement it" just ends up in the same boat of using cleartext http/1.1 for people who aren't motivated to make the jump to HTTPS. The counter argument I've heard is that http/2 without OppSec will be a forcing function to get people to move to HTTPS, but there are enough barriers to universal HTTPS today (lack of universal SNI/IPv6 and cert provisioning challenges), that I'm still strongly of the opinion that it is worth having this "OppSec" deployment vehicle bridge for the next few years at least until we get universal SNI adoption. > http:/ can use TLS with *arbitrarily weak* crypto algorithms, > and no authentication, and it is treated *exactly* like > HTTP/1.1 plaintext by browsers. For better or worse, the current drafts don't easily support this in a way that doesn't introduce risk during transitions as the server doesn't have a good indication of whether http or https scheme will be used. (Earlier Alt-Svc drafts contained an "h2t" ALPN token, but this has subsequently been dropped.) The cost for modern servers of AES-GCM (or ChaCha20-Poly1305 once that is supported) is typically low enough that there's no point in using something weaker. Similarly, it's not clear what one would use other than ECDHE that would be worthwhile and cheaper for key exchange. (Wearing my *not-a-cryptographer* hat.) Doing anonymous key exchange without a server cert might be useful to bring down the cost, but then there would need to be some client handshake signalling (in the cleartext client_hello) that OppSec http-over-TLS is going to be used, and this is something we've wanted to avoid so far. > For that matter this is not even specific to HTTP/2 in any way, it > could also be deployed for HTTP/1.1. Only if there was a way to convey Scheme (http vs https) in a way that worked reliably for existing HTTP/1.1 servers. Erik
- HTTP/2 and Pervasive Monitoring Mark Nottingham
- Re: HTTP/2 and Pervasive Monitoring Amos Jeffries
- Re: HTTP/2 and Pervasive Monitoring Greg Wilkins
- RE: HTTP/2 and Pervasive Monitoring K.Morgan
- Re: HTTP/2 and Pervasive Monitoring Poul-Henning Kamp
- Re: HTTP/2 and Pervasive Monitoring Mark Nottingham
- Re: HTTP/2 and Pervasive Monitoring Mark Nottingham
- Re: HTTP/2 and Pervasive Monitoring Eliot Lear
- Re: HTTP/2 and Pervasive Monitoring Poul-Henning Kamp
- Re: HTTP/2 and Pervasive Monitoring Martin Nilsson
- Re: HTTP/2 and Pervasive Monitoring Poul-Henning Kamp
- RE: HTTP/2 and Pervasive Monitoring Albert Lunde
- Re: HTTP/2 and Pervasive Monitoring Cory Benfield
- Re: HTTP/2 and Pervasive Monitoring Erik Nygren
- Re: HTTP/2 and Pervasive Monitoring Poul-Henning Kamp
- Re: HTTP/2 and Pervasive Monitoring Roland Zink
- Re: HTTP/2 and Pervasive Monitoring Martin Thomson
- Re: HTTP/2 and Pervasive Monitoring Brian Smith
- Re: HTTP/2 and Pervasive Monitoring Poul-Henning Kamp
- Re: HTTP/2 and Pervasive Monitoring Eliot Lear
- Re: HTTP/2 and Pervasive Monitoring Greg Wilkins
- Re: HTTP/2 and Pervasive Monitoring Greg Wilkins
- Re: HTTP/2 and Pervasive Monitoring Poul-Henning Kamp
- Re: HTTP/2 and Pervasive Monitoring Stephen Farrell
- Re: HTTP/2 and Pervasive Monitoring Poul-Henning Kamp
- Re: HTTP/2 and Pervasive Monitoring Roland Zink
- Re: HTTP/2 and Pervasive Monitoring Stephen Farrell
- Re: HTTP/2 and Pervasive Monitoring Amos Jeffries
- Re: HTTP/2 and Pervasive Monitoring Eliot Lear
- Re: HTTP/2 and Pervasive Monitoring Poul-Henning Kamp
- Re: HTTP/2 and Pervasive Monitoring Poul-Henning Kamp
- Re: HTTP/2 and Pervasive Monitoring Ilari Liusvaara
- Re: HTTP/2 and Pervasive Monitoring Mark Nottingham
- Re: HTTP/2 and Pervasive Monitoring Greg Wilkins
- Re: HTTP/2 and Pervasive Monitoring Poul-Henning Kamp
- Re: HTTP/2 and Pervasive Monitoring Martin Thomson
- Re: HTTP/2 and Pervasive Monitoring Poul-Henning Kamp
- Re: HTTP/2 and Pervasive Monitoring Martin Thomson
- Re: HTTP/2 and Pervasive Monitoring Poul-Henning Kamp