Re: HTTP/2 and Pervasive Monitoring
"Poul-Henning Kamp" <phk@phk.freebsd.dk> Fri, 15 August 2014 12:37 UTC
Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3BC291A0A82 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 15 Aug 2014 05:37:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.57
X-Spam-Level:
X-Spam-Status: No, score=-7.57 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.668, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JCdMrOc72xMp for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 15 Aug 2014 05:37:46 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 082FC1A0A7B for <httpbisa-archive-bis2Juki@lists.ietf.org>; Fri, 15 Aug 2014 05:37:46 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1XIGjE-0004tp-8D for ietf-http-wg-dist@listhub.w3.org; Fri, 15 Aug 2014 12:35:32 +0000
Resent-Date: Fri, 15 Aug 2014 12:35:32 +0000
Resent-Message-Id: <E1XIGjE-0004tp-8D@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <phk@phk.freebsd.dk>) id 1XIGiw-0004t1-Ev for ietf-http-wg@listhub.w3.org; Fri, 15 Aug 2014 12:35:14 +0000
Received: from phk.freebsd.dk ([130.225.244.222]) by maggie.w3.org with esmtp (Exim 4.72) (envelope-from <phk@phk.freebsd.dk>) id 1XIGiv-0006ij-KG for ietf-http-wg@w3.org; Fri, 15 Aug 2014 12:35:14 +0000
Received: from critter.freebsd.dk (unknown [192.168.60.3]) by phk.freebsd.dk (Postfix) with ESMTP id 41EB01578; Fri, 15 Aug 2014 12:34:51 +0000 (UTC)
Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.14.9/8.14.9) with ESMTP id s7FCYnh4005872; Fri, 15 Aug 2014 12:34:50 GMT (envelope-from phk@phk.freebsd.dk)
To: Mark Nottingham <mnot@mnot.net>
cc: HTTP Working Group <ietf-http-wg@w3.org>
In-reply-to: <EB5B7C64-165B-48F1-94FF-1354E917A10F@mnot.net>
From: Poul-Henning Kamp <phk@phk.freebsd.dk>
References: <38BD57DB-98A9-4282-82DD-BB89F11F7C84@mnot.net> <4851.1408094168@critter.freebsd.dk> <EB5B7C64-165B-48F1-94FF-1354E917A10F@mnot.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <5870.1408106089.1@critter.freebsd.dk>
Content-Transfer-Encoding: quoted-printable
Date: Fri, 15 Aug 2014 12:34:49 +0000
Message-ID: <5871.1408106089@critter.freebsd.dk>
Received-SPF: none client-ip=130.225.244.222; envelope-from=phk@phk.freebsd.dk; helo=phk.freebsd.dk
X-W3C-Hub-Spam-Status: No, score=-3.7
X-W3C-Hub-Spam-Report: AWL=-3.081, RP_MATCHES_RCVD=-0.668
X-W3C-Scan-Sig: maggie.w3.org 1XIGiv-0006ij-KG 1c16275e7d505b6d8aeadf68d42f959e
X-Original-To: ietf-http-wg@w3.org
Subject: Re: HTTP/2 and Pervasive Monitoring
Archived-At: <http://www.w3.org/mid/5871.1408106089@critter.freebsd.dk>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/26612
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
-------- In message <EB5B7C64-165B-48F1-94FF-1354E917A10F@mnot.net>, Mark Nottingham wri tes: >H >On 15 Aug 2014, at 7:16 pm, Poul-Henning Kamp <phk@phk.freebsd.dk> wrote: >> Straw-man: >> ---------- >> >> http:/ can use TLS with *arbitrarily weak* crypto algorithms, >> and no authentication, and it is treated *exactly* like >> HTTP/1.1 plaintext by browsers. >> >> https:/ uses authenticated TLS with strong crypto, as today, >> and indicates this with the well-known changes in browser >> behaviour. > >It sounds like you're proposing that we allow weaker ciphersuites for >the Opp-Sec draft. It's not really a proposal relative to any other document than BCP188 in the context of HTTP. >If Opp-Sec traffic is able to be distinguished (e.g., by using a >different ciphersuite), it'll be possible for an active attacker to >selectively MITM it and not be detected. I'm afraid that you just proved one of my points with respect to how hard a sell this might be, because people don't understand herd immunity :-) Let me try to explain it another way: Today the majority of PM has the form of a passive optical splitter, tcpdump and postanalysis. Given the "take" it brings, this is dirt cheap to implement. Currently, they can run a filter which is essentially: tcpdump -i all0 -w - | egrep -i "terrorist|bomb" and the cost is way less than they spend on toilet-paper. By by whitening the present HTTP plaintext traffic with TLS, even with quite weak cipher-suites, we dramatically increase the cost of the postanalysis step, instantly making that filter impossible. Depending on the cryptographic cost we impose with our whitening, a number of avenues remain open for the attackers: 1. Brute-force only a tiny fraction of traffic, most likely guided by metadata analysis. Chances are that the tiny fraction they'll be most interested in uses "real" https in the first place. 2. MITM a tiny fraction of traffic, most likely guided by metadata analysis. What they already have to do for "real" https. The crucial result here, is that we eliminated the "pervasive" from PM with respect to HTTP data, by putting north of 99.99% of all current plaintext traffic out of their economic reach, traffic which they currently get to see for absolutely free. Your concern about them being able to tell "real" TLS from "phony" TLS, for the purpose of MITM, at best comes in as a distant second or third order effect relative to this proposal: its the step from tcpdump to MITM were their cost explodes. It doesn't really matter that they can instantly tell what is "phony" TLS, and what is "real" TLS, the point is that they cannot get at either of them without working actively and hard for it, and therefore they will be forced to focus on and target only suspect traffic. "working hard" will in most cases be MITM, which is a victory in itself, because MITM has non-zero probability of detection, where passive collection has zero probability. So don't they just switch from pervasive monitoring to pervasive MITM ? In theory they could, but in practice not. Technologically, it is extremely doubtful if anybody is ever going to be able to do anything like moderately well-hidden MITM TLS on a full 40Gb/s fiber. You'd have to do it blantantly, as in "The Great Firewall of Elbonia" style brutalism. Even though 10Gb/s might be technologically feasible, the economics ensure that it will never happen on a scale anywhere close to the current pervasive passive slurp, because both the cost of access to fibres, cost of equipment and legal complications crop up. To summ up: It doesn't matter that they can instantly see it is "phony" TLS, they still have to work much harder to get at it. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence.
- HTTP/2 and Pervasive Monitoring Mark Nottingham
- Re: HTTP/2 and Pervasive Monitoring Amos Jeffries
- Re: HTTP/2 and Pervasive Monitoring Greg Wilkins
- RE: HTTP/2 and Pervasive Monitoring K.Morgan
- Re: HTTP/2 and Pervasive Monitoring Poul-Henning Kamp
- Re: HTTP/2 and Pervasive Monitoring Mark Nottingham
- Re: HTTP/2 and Pervasive Monitoring Mark Nottingham
- Re: HTTP/2 and Pervasive Monitoring Eliot Lear
- Re: HTTP/2 and Pervasive Monitoring Poul-Henning Kamp
- Re: HTTP/2 and Pervasive Monitoring Martin Nilsson
- Re: HTTP/2 and Pervasive Monitoring Poul-Henning Kamp
- RE: HTTP/2 and Pervasive Monitoring Albert Lunde
- Re: HTTP/2 and Pervasive Monitoring Cory Benfield
- Re: HTTP/2 and Pervasive Monitoring Erik Nygren
- Re: HTTP/2 and Pervasive Monitoring Poul-Henning Kamp
- Re: HTTP/2 and Pervasive Monitoring Roland Zink
- Re: HTTP/2 and Pervasive Monitoring Martin Thomson
- Re: HTTP/2 and Pervasive Monitoring Brian Smith
- Re: HTTP/2 and Pervasive Monitoring Poul-Henning Kamp
- Re: HTTP/2 and Pervasive Monitoring Eliot Lear
- Re: HTTP/2 and Pervasive Monitoring Greg Wilkins
- Re: HTTP/2 and Pervasive Monitoring Greg Wilkins
- Re: HTTP/2 and Pervasive Monitoring Poul-Henning Kamp
- Re: HTTP/2 and Pervasive Monitoring Stephen Farrell
- Re: HTTP/2 and Pervasive Monitoring Poul-Henning Kamp
- Re: HTTP/2 and Pervasive Monitoring Roland Zink
- Re: HTTP/2 and Pervasive Monitoring Stephen Farrell
- Re: HTTP/2 and Pervasive Monitoring Amos Jeffries
- Re: HTTP/2 and Pervasive Monitoring Eliot Lear
- Re: HTTP/2 and Pervasive Monitoring Poul-Henning Kamp
- Re: HTTP/2 and Pervasive Monitoring Poul-Henning Kamp
- Re: HTTP/2 and Pervasive Monitoring Ilari Liusvaara
- Re: HTTP/2 and Pervasive Monitoring Mark Nottingham
- Re: HTTP/2 and Pervasive Monitoring Greg Wilkins
- Re: HTTP/2 and Pervasive Monitoring Poul-Henning Kamp
- Re: HTTP/2 and Pervasive Monitoring Martin Thomson
- Re: HTTP/2 and Pervasive Monitoring Poul-Henning Kamp
- Re: HTTP/2 and Pervasive Monitoring Martin Thomson
- Re: HTTP/2 and Pervasive Monitoring Poul-Henning Kamp