Re: HTTP/2 and Pervasive Monitoring

Erik Nygren <erik@nygren.org> Fri, 15 August 2014 14:43 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B9F21A8A82 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 15 Aug 2014 07:43:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.347
X-Spam-Level:
X-Spam-Status: No, score=-6.347 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, J_CHICKENPOX_84=0.6, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.668, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U1qe1hTmIxRq for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 15 Aug 2014 07:43:37 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D2DA21A8A6D for <httpbisa-archive-bis2Juki@lists.ietf.org>; Fri, 15 Aug 2014 07:43:36 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1XIIgI-0005ML-Ia for ietf-http-wg-dist@listhub.w3.org; Fri, 15 Aug 2014 14:40:38 +0000
Resent-Date: Fri, 15 Aug 2014 14:40:38 +0000
Resent-Message-Id: <E1XIIgI-0005ML-Ia@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <nygren@gmail.com>) id 1XIIfs-0005LU-Tf for ietf-http-wg@listhub.w3.org; Fri, 15 Aug 2014 14:40:12 +0000
Received: from mail-vc0-f176.google.com ([209.85.220.176]) by maggie.w3.org with esmtps (TLS1.0:RSA_ARCFOUR_SHA1:16) (Exim 4.72) (envelope-from <nygren@gmail.com>) id 1XIIfr-0000Lk-RV for ietf-http-wg@w3.org; Fri, 15 Aug 2014 14:40:12 +0000
Received: by mail-vc0-f176.google.com with SMTP id id10so2986979vcb.21 for <ietf-http-wg@w3.org>; Fri, 15 Aug 2014 07:39:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=c/KvaaDw4uEbrfSgR2Bg8Tfri/85I68wykifGAEnpSc=; b=o/RVA9gWA8lMXwFXCwR+ZcKF0YE/FB9OjEcgSwjLw/GOAE6G9E7D2Hgq4mx6dQ6cFa PlOT8fQdWj+84s1MH/R9HYotDAl6B0cIh1qjHOj7dmGOxPqg0XW3lE0lg6bBmQrlSzi/ 8aKnbnSU4wMQUnD/OMk7iLnDrEgXcFBsFBA9Gx6MKWKY9sAX6R6zFilHZj5Gz5u9qQNx YUVBir8Stdd5Wmk1Gf/lgrdYxyAPF0RwV3setmT96ZndK6YC4TM5PGmY0xEHcLx4zZst wbUFOYDbOBnXhDuH6h4D9IgtbbbTTJdjNzJW/AjTBsLSH9P9R2Ta0EDg0DJ4PJYun17u 6QoQ==
MIME-Version: 1.0
X-Received: by 10.220.74.195 with SMTP id v3mr10489053vcj.23.1408113585865; Fri, 15 Aug 2014 07:39:45 -0700 (PDT)
Sender: nygren@gmail.com
Received: by 10.221.11.16 with HTTP; Fri, 15 Aug 2014 07:39:45 -0700 (PDT)
In-Reply-To: <4851.1408094168@critter.freebsd.dk>
References: <38BD57DB-98A9-4282-82DD-BB89F11F7C84@mnot.net> <4851.1408094168@critter.freebsd.dk>
Date: Fri, 15 Aug 2014 10:39:45 -0400
X-Google-Sender-Auth: 7Epge0ec7F8C9hig4-5q_S0wrks
Message-ID: <CAKC-DJjFk9==Y4ayn=A-fZBaEt-G_+n=XQ9B8rKqWaT-LQh3vQ@mail.gmail.com>
From: Erik Nygren <erik@nygren.org>
To: Poul-Henning Kamp <phk@phk.freebsd.dk>
Cc: Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: multipart/alternative; boundary="089e01634bf016c7b60500abfe62"
Received-SPF: pass client-ip=209.85.220.176; envelope-from=nygren@gmail.com; helo=mail-vc0-f176.google.com
X-W3C-Hub-Spam-Status: No, score=-3.5
X-W3C-Hub-Spam-Report: AWL=-2.763, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001
X-W3C-Scan-Sig: maggie.w3.org 1XIIfr-0000Lk-RV cdd21a5eb7a127b0dd40b61c6cd3708f
X-Original-To: ietf-http-wg@w3.org
Subject: Re: HTTP/2 and Pervasive Monitoring
Archived-At: <http://www.w3.org/mid/CAKC-DJjFk9==Y4ayn=A-fZBaEt-G_+n=XQ9B8rKqWaT-LQh3vQ@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/26617
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

A number of comments on this topic based on some discussions
I've had over the past few weeks:


OppSec as deployment vehicle or for security
--------------------------------------------

Using http:// scheme URIs over TLS for HTTP/2 should be thought of as
firstly as a stop-gap deployment vehicle for HTTP/2 to get past broken
middle boxes without requiring application-side changes to immediately
move to https scheme.

The OppSec side-effects of this have a nice secondary benefit for
raising the bar to PM, but there are significant concerns that there
are enough active attacks already today that this may provide a
misleading false sense of security.

On a related note, even having the word "security" here has the risk
that people will misunderstand it to unfortunate results.  (I live in
fear of reading some marketing copy along the lines of "Opportunistic
Security adds extra bonus value because it takes full advantage of
Opportunities to give you even more security than you got previously
with that older 'Real Security'." --- or something similarly
misleading and scary.)


On transitions and fallbacks
----------------------------

While this OppSec model also makes it straight-forward for a large
hosting provider or CDN to immediately deploy HTTP/2 for
http-scheme-over-TLS without application changes or needing to manage
per-customer certificates, we don't have terribly good models here to
make a smoother transition.

Transitioning from OppSec unauthenticated http-over-TLS to HTTPS has a
reasonable story:  provision a real certificate, 301 redirect
to https, then start using HSTS or similar.

However we don't have a story in the current draft for transitioning
from OppSec unauthenticated http-over-TLS to authenticated http-over-TLS
in an operationally supportable manner.  When a server returns:

   Alt-Svc: "h2"=443

it has no idea whether or not the client is going to try and validate
the certificate and what it will do if it will fail.
One possibility would be to do something like:

   Alt-Svc: "h2"=443; validate=pkix

but this is sent over cleartext.  This could be useful,
however, such that if browsers are going to require cert
validation they could know NOT to follow the AltSvc if
that "validate=pkix" isn't present.

An unfortunate side-effect here is that active MitM
could easily strip out that text.

Another unfortunate side-effect of this Alt-Svc OppSec model in
general is that it has some of the same unfortunate incentives when
certificate validation fails as STARTTLS has within SMTP where many
clients fall back to using cleartext http/1.1 instead of unauthenticated
encryption.  Saying "let's not implement it" just ends up
in the same boat of using cleartext http/1.1 for people who
aren't motivated to make the jump to HTTPS.

The counter argument I've heard is that http/2 without OppSec will be
a forcing function to get people to move to HTTPS, but there are
enough barriers to universal HTTPS today (lack of universal SNI/IPv6
and cert provisioning challenges), that I'm still strongly of the
opinion that it is worth having this "OppSec" deployment vehicle
bridge for the next few years at least until we get universal SNI
adoption.


> http:/ can use TLS with *arbitrarily weak* crypto algorithms,
> and no authentication, and it is treated *exactly* like
> HTTP/1.1 plaintext by browsers.

For better or worse, the current drafts don't easily support this in a
way that doesn't introduce risk during transitions as the server
doesn't have a good indication of whether http or https scheme will be
used.  (Earlier Alt-Svc drafts contained an "h2t" ALPN token, but this
has subsequently been dropped.)  The cost for modern servers of
AES-GCM (or ChaCha20-Poly1305 once that is supported) is typically low
enough that there's no point in using something weaker.  Similarly,
it's not clear what one would use other than ECDHE that would be
worthwhile and cheaper for key exchange.  (Wearing my
*not-a-cryptographer* hat.)

Doing anonymous key exchange without a server cert might
be useful to bring down the cost, but then there would
need to be some client handshake signalling (in the cleartext
client_hello) that OppSec http-over-TLS is going to be used,
and this is something we've wanted to avoid so far.

> For that matter this is not even specific to HTTP/2 in any way, it
> could also be deployed for HTTP/1.1.

Only if there was a way to convey Scheme (http vs https) in a way that
worked reliably for existing HTTP/1.1 servers.

       Erik