Re: HTTP/2 and Pervasive Monitoring

"Poul-Henning Kamp" <phk@phk.freebsd.dk> Fri, 15 August 2014 12:37 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3BC291A0A82 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 15 Aug 2014 05:37:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.57
X-Spam-Level:
X-Spam-Status: No, score=-7.57 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.668, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JCdMrOc72xMp for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 15 Aug 2014 05:37:46 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 082FC1A0A7B for <httpbisa-archive-bis2Juki@lists.ietf.org>; Fri, 15 Aug 2014 05:37:46 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1XIGjE-0004tp-8D for ietf-http-wg-dist@listhub.w3.org; Fri, 15 Aug 2014 12:35:32 +0000
Resent-Date: Fri, 15 Aug 2014 12:35:32 +0000
Resent-Message-Id: <E1XIGjE-0004tp-8D@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <phk@phk.freebsd.dk>) id 1XIGiw-0004t1-Ev for ietf-http-wg@listhub.w3.org; Fri, 15 Aug 2014 12:35:14 +0000
Received: from phk.freebsd.dk ([130.225.244.222]) by maggie.w3.org with esmtp (Exim 4.72) (envelope-from <phk@phk.freebsd.dk>) id 1XIGiv-0006ij-KG for ietf-http-wg@w3.org; Fri, 15 Aug 2014 12:35:14 +0000
Received: from critter.freebsd.dk (unknown [192.168.60.3]) by phk.freebsd.dk (Postfix) with ESMTP id 41EB01578; Fri, 15 Aug 2014 12:34:51 +0000 (UTC)
Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.14.9/8.14.9) with ESMTP id s7FCYnh4005872; Fri, 15 Aug 2014 12:34:50 GMT (envelope-from phk@phk.freebsd.dk)
To: Mark Nottingham <mnot@mnot.net>
cc: HTTP Working Group <ietf-http-wg@w3.org>
In-reply-to: <EB5B7C64-165B-48F1-94FF-1354E917A10F@mnot.net>
From: Poul-Henning Kamp <phk@phk.freebsd.dk>
References: <38BD57DB-98A9-4282-82DD-BB89F11F7C84@mnot.net> <4851.1408094168@critter.freebsd.dk> <EB5B7C64-165B-48F1-94FF-1354E917A10F@mnot.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <5870.1408106089.1@critter.freebsd.dk>
Content-Transfer-Encoding: quoted-printable
Date: Fri, 15 Aug 2014 12:34:49 +0000
Message-ID: <5871.1408106089@critter.freebsd.dk>
Received-SPF: none client-ip=130.225.244.222; envelope-from=phk@phk.freebsd.dk; helo=phk.freebsd.dk
X-W3C-Hub-Spam-Status: No, score=-3.7
X-W3C-Hub-Spam-Report: AWL=-3.081, RP_MATCHES_RCVD=-0.668
X-W3C-Scan-Sig: maggie.w3.org 1XIGiv-0006ij-KG 1c16275e7d505b6d8aeadf68d42f959e
X-Original-To: ietf-http-wg@w3.org
Subject: Re: HTTP/2 and Pervasive Monitoring
Archived-At: <http://www.w3.org/mid/5871.1408106089@critter.freebsd.dk>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/26612
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

--------
In message <EB5B7C64-165B-48F1-94FF-1354E917A10F@mnot.net>, Mark Nottingham wri
tes:
>H
>On 15 Aug 2014, at 7:16 pm, Poul-Henning Kamp <phk@phk.freebsd.dk> wrote:
>> Straw-man:
>> ----------
>> 
>> 	http:/ can use TLS with *arbitrarily weak* crypto algorithms,
>> 	and no authentication, and it is treated *exactly* like
>> 	HTTP/1.1 plaintext by browsers.
>> 
>> 	https:/ uses authenticated TLS with strong crypto, as today,
>> 	and indicates this with the well-known changes in browser
>> 	behaviour.
>
>It sounds like you're proposing that we allow weaker ciphersuites for 
>the Opp-Sec draft. 

It's not really a proposal relative to any other document than BCP188
in the context of HTTP.

>If Opp-Sec traffic is able to be distinguished (e.g., by using a 
>different ciphersuite), it'll be possible for an active attacker to 
>selectively MITM it and not be detected. 

I'm afraid that you just proved one of my points with respect to
how hard a sell this might be, because people don't understand
herd immunity  :-)

Let me try to explain it another way:

Today the majority of PM has the form of a passive optical splitter,
tcpdump and postanalysis.  Given the "take" it brings, this is dirt
cheap to implement.

Currently, they can run a filter which is essentially:

	tcpdump -i all0 -w - | egrep -i "terrorist|bomb"

and the cost is way less than they spend on toilet-paper.

By by whitening the present HTTP plaintext traffic with TLS, even
with quite weak cipher-suites, we dramatically increase the cost
of the postanalysis step, instantly making that filter impossible.

Depending on the cryptographic cost we impose with our whitening,
a number of avenues remain open for the attackers:

1. Brute-force only a tiny fraction of traffic, most likely guided
   by metadata analysis.

   Chances are that the tiny fraction they'll be most interested
   in uses "real" https in the first place.

2. MITM a tiny fraction of traffic, most likely guided by metadata
   analysis.

   What they already have to do for "real" https.

The crucial result here, is that we eliminated the "pervasive" from
PM with respect to HTTP data, by putting north of 99.99% of all
current plaintext traffic out of their economic reach, traffic which
they currently get to see for absolutely free.

Your concern about them being able to tell "real" TLS from "phony" TLS,
for the purpose of MITM, at best comes in as a distant second or third
order effect relative to this proposal: its the step from tcpdump
to MITM were their cost explodes.

It doesn't really matter that they can instantly tell what is "phony"
TLS, and what is "real" TLS, the point is that they cannot get at
either of them without working actively and hard for it, and therefore
they will be forced to focus on and target only suspect traffic.

"working hard" will in most cases be MITM, which is a victory in
itself, because MITM has non-zero probability of detection, where
passive collection has zero probability.

So don't they just switch from pervasive monitoring to pervasive MITM ?

In theory they could, but in practice not.

Technologically, it is extremely doubtful if anybody is ever going
to be able to do anything like moderately well-hidden MITM TLS on
a full 40Gb/s fiber.  You'd have to do it blantantly, as in "The
Great Firewall of Elbonia" style brutalism.

Even though 10Gb/s might be technologically feasible, the economics
ensure that it will never happen on a scale anywhere close to the
current pervasive passive slurp, because both the cost of access
to fibres, cost of equipment and legal complications crop up.

To summ up:  It doesn't matter that they can instantly see it is
"phony" TLS, they still have to work much harder to get at it.

-- 
Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.