Re: I-D Action: draft-ietf-httpbis-tunnel-protocol-00.txt
Amos Jeffries <squid3@treenet.co.nz> Thu, 21 August 2014 14:55 UTC
Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6873A1A038F for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 21 Aug 2014 07:55:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.57
X-Spam-Level:
X-Spam-Status: No, score=-7.57 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.668, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zbZP73n8-8Lk for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 21 Aug 2014 07:55:16 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0F54C1A04A4 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Thu, 21 Aug 2014 07:55:15 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1XKTiQ-00078K-Il for ietf-http-wg-dist@listhub.w3.org; Thu, 21 Aug 2014 14:51:50 +0000
Resent-Date: Thu, 21 Aug 2014 14:51:50 +0000
Resent-Message-Id: <E1XKTiQ-00078K-Il@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <squid3@treenet.co.nz>) id 1XKTi9-00077F-VV for ietf-http-wg@listhub.w3.org; Thu, 21 Aug 2014 14:51:33 +0000
Received: from 121-99-228-82.static.orcon.net.nz ([121.99.228.82] helo=treenet.co.nz) by lisa.w3.org with esmtp (Exim 4.72) (envelope-from <squid3@treenet.co.nz>) id 1XKTi9-0007wD-08 for ietf-http-wg@w3.org; Thu, 21 Aug 2014 14:51:33 +0000
Received: from [192.168.2.97] (unknown [203.184.52.78]) by treenet.co.nz (Postfix) with ESMTP id BB357E6FF4; Fri, 22 Aug 2014 02:51:01 +1200 (NZST)
Message-ID: <53F60749.4010102@treenet.co.nz>
Date: Fri, 22 Aug 2014 02:50:49 +1200
From: Amos Jeffries <squid3@treenet.co.nz>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: Adam Rice <ricea@google.com>
CC: HTTP Working Group <ietf-http-wg@w3.org>
References: <20140818233839.23251.81316.idtracker@ietfa.amsl.com> <858FBAA8-F0D5-43A0-A621-7D504AB3327A@mnot.net> <CAH_y2NEekpgDNO+OsDELarcSi3nn72gHb98L9R66TntcD9bUiQ@mail.gmail.com> <3859D490-6B6E-4C7D-A3AF-9F1CF6F69045@mnot.net> <CAH_y2NGivMoS_WSudKKM4A=Jnr6bKneJZ5zuTmWrQm=XESYdYw@mail.gmail.com> <6F9EE13B-1791-4010-8953-3172A57AC172@mnot.net> <CAHixhFqbw00FrGSrCRS1rK_HqEj8osRXtXpj+DtYmU=tqFyBkQ@mail.gmail.com> <53F59390.2030106@treenet.co.nz> <CAHixhFqe8tqu9c+iVFG=n-YiFrgcj+xzstMvzGqNzjyfr=t7jg@mail.gmail.com>
In-Reply-To: <CAHixhFqe8tqu9c+iVFG=n-YiFrgcj+xzstMvzGqNzjyfr=t7jg@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Received-SPF: pass client-ip=121.99.228.82; envelope-from=squid3@treenet.co.nz; helo=treenet.co.nz
X-W3C-Hub-Spam-Status: No, score=-3.5
X-W3C-Hub-Spam-Report: AWL=-3.449, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, TVD_RCVD_IP=0.001
X-W3C-Scan-Sig: lisa.w3.org 1XKTi9-0007wD-08 5a8e954a64e9035a715319a9ed9001cb
X-Original-To: ietf-http-wg@w3.org
Subject: Re: I-D Action: draft-ietf-httpbis-tunnel-protocol-00.txt
Archived-At: <http://www.w3.org/mid/53F60749.4010102@treenet.co.nz>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/26691
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
On 21/08/2014 8:07 p.m., Adam Rice wrote: > On 21 August 2014 15:37, Amos Jeffries wrote: > >> * if use of this header is picked up widely then we will be headed >> toward a situation where more proxies can relatively safely have blanket >> rejection on CONNECT traffic omiting it, a lot of current day attacks >> will fail, and BCP 188 Pervasive Monitoring stops being pervasive. >> > > I don't believe that anyone who has the capability to intercept and decrypt > traffic will voluntarily give it up. Decryption costs $$. Also the entire traffic stream must be decrypted ("pervasive" remember). A fast way to filter out some of the traffic and target the decryption has positive pressure to adopt for cost reduction even by those who have the capability. > > Since it is trivial for malware to forge this header, I do not believe it > will stop any attacks. > It will change the attacks which are possible and how difficult they are. Today it is trivial to send a CONNECT with arbitrary payload to a large number of networks and proxies. After the header they will have to make the attack work while simultaneously spoofing bits of the internal protocol which DPI systems can now validate. eg. the header conveys that TLS/1.3 is being transmitted and the data actually contains a SSL/1.0 client hello (or something not even parsing as a client hello at all). Then there is the whole area of signed messages that make the header content a fixed and reliable detail while in the clear for proxies. Amos
- I-D Action: draft-ietf-httpbis-tunnel-protocol-00… internet-drafts
- Re: I-D Action: draft-ietf-httpbis-tunnel-protoco… Mark Nottingham
- Re: I-D Action: draft-ietf-httpbis-tunnel-protoco… Greg Wilkins
- Re: I-D Action: draft-ietf-httpbis-tunnel-protoco… Mark Nottingham
- Re: I-D Action: draft-ietf-httpbis-tunnel-protoco… Greg Wilkins
- Re: I-D Action: draft-ietf-httpbis-tunnel-protoco… Mark Nottingham
- Re: I-D Action: draft-ietf-httpbis-tunnel-protoco… Adam Rice
- Re: I-D Action: draft-ietf-httpbis-tunnel-protoco… Amos Jeffries
- Re: I-D Action: draft-ietf-httpbis-tunnel-protoco… Adam Rice
- Re: I-D Action: draft-ietf-httpbis-tunnel-protoco… Amos Jeffries
- Re: I-D Action: draft-ietf-httpbis-tunnel-protoco… Martin Thomson
- RE: I-D Action: draft-ietf-httpbis-tunnel-protoco… Makaraju, Maridi Raju (Raju)
- Re: I-D Action: draft-ietf-httpbis-tunnel-protoco… Julian Reschke