Re: Content-Encoding and MITM devices
Patrick Meenan <patmeenan@gmail.com> Thu, 04 April 2024 14:43 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=ietf.org@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD2E1C14F748 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 4 Apr 2024 07:43:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.85
X-Spam-Level:
X-Spam-Status: No, score=-2.85 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=w3.org header.b="AB+kgH2M"; dkim=pass (2048-bit key) header.d=w3.org header.b="b6D6j+Un"; dkim=pass (2048-bit key) header.d=gmail.com header.b="D44gXkGg"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VEm7kqPYFSF8 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 4 Apr 2024 07:43:57 -0700 (PDT)
Received: from mab.w3.org (mab.w3.org [IPv6:2600:1f18:7d7a:2700:d091:4b25:8566:8113]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BFF89C14F686 for <httpbisa-archive-bis2Juki@ietf.org>; Thu, 4 Apr 2024 07:43:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=w3.org; s=s1; h=Subject:Content-Type:Cc:To:Message-ID:Date:From:In-Reply-To: References:MIME-Version:Reply-To; bh=M57rHEWVRd7UWg7xEtEr1yUQqiCGztIc+XkLpA0/2KI=; b=AB+kgH2McDVjMmPPnOg3K4xMCR uFR3T7ojSYiTDbBnVEwON2xZ4IEWFxIRY5oHbp1TEo63WtCho6qQZFAk24d7fqUP2TreVWJnIiL3k hrr4Wf6rTT9uHQlcBCsT9n2oPpVBqkDVbjrhhHUjdqsSDqaOEVP+qYzs+lbL/I/mGw8z70ob8oTzX 8BR6SyA3nSomoN25UQuoeZOYr5TH3xKZWZADyjfaJ1u3JvW/VQbj2f8s0oOY724GbNvdyTIlyCuvy 71OCDW9npX54nxV+OUX6a7gen7qT+70O5HTsgiZarnbmXIHLLjbR8xPCTE17867ef5dIq43CG5inV 2MYXicZw==;
Received: from lists by mab.w3.org with local (Exim 4.96) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1rsOJ9-0053oa-0l for ietf-http-wg-dist@listhub.w3.org; Thu, 04 Apr 2024 14:43:15 +0000
Resent-Date: Thu, 04 Apr 2024 14:43:15 +0000
Resent-Message-Id: <E1rsOJ9-0053oa-0l@mab.w3.org>
Received: from ip-10-0-0-144.ec2.internal ([10.0.0.144] helo=pan.w3.org) by mab.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from <patmeenan@gmail.com>) id 1rsOJ6-0053nh-2r for ietf-http-wg@listhub.w3.org; Thu, 04 Apr 2024 14:43:12 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=w3.org; s=s1; h=Content-Type:Cc:To:Subject:Message-ID:Date:From:In-Reply-To: References:MIME-Version:Reply-To; bh=M57rHEWVRd7UWg7xEtEr1yUQqiCGztIc+XkLpA0/2KI=; t=1712241792; x=1713105792; b=b6D6j+UnhxpudA6s518xBAnmwqXsrZjicgVP0Wvp8KwvEcEw9wO/ZaJTWpi7cSJXnSl9GBNUQ+2 pCEAdXNxLgvtKniL91A3ACpnH/aF5zCze6UThlTPmAyVkYw0THyonL5gAqnV6unbw4wesfkok4ZYM SQ03CeutLtDO8BG/7k06ayMmVJfuF+ujSU7J4SrzD2MeFocAIgh6oYaJchx/bzvOW2mCeK01g9xD6 P2r+gMmrDG2B838xJeyPhrz9g1N9F3Mk7cPButEtD+NUV8vfUWzIMlfO+7CKWZSgtcc/g78inc0sA qYzbU8s9y3ntsdXKJR1DwW/5uhtWuu724Cog==;
Received-SPF: pass (pan.w3.org: domain of gmail.com designates 2a00:1450:4864:20::536 as permitted sender) client-ip=2a00:1450:4864:20::536; envelope-from=patmeenan@gmail.com; helo=mail-ed1-x536.google.com;
Received: from mail-ed1-x536.google.com ([2a00:1450:4864:20::536]) by pan.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from <patmeenan@gmail.com>) id 1rsOJ6-006DSq-12 for ietf-http-wg@w3.org; Thu, 04 Apr 2024 14:43:12 +0000
Received: by mail-ed1-x536.google.com with SMTP id 4fb4d7f45d1cf-56e0acaf69aso1324182a12.1 for <ietf-http-wg@w3.org>; Thu, 04 Apr 2024 07:43:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1712241788; x=1712846588; darn=w3.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=M57rHEWVRd7UWg7xEtEr1yUQqiCGztIc+XkLpA0/2KI=; b=D44gXkGg1DJCWPtd2DWMOgs/CwuZ8qWNhFjWyS42izZpKEPV3SPXHQ32g0wcZH/c/j bZClkB9KALkEaukdMtfzmLwmLo+Y8phcHsj4ge1fvEWu3UwdOtos+4z0q43YeB2fOQqs ZaI/pEP1dAwZl7TRtqQ47rXUcSTxiui14dmy69NJYuNxiCHFlb5jkqGdv30RI9Us5V7/ ZOuTxUWQK3+jvpRrTHpbKOi4ZDwDzazPi0TtrURKpWzzJjCCdWED05ITq36GhGcBLRrP y/S4797ZLbdeuAKLjXPMQOhhHrusnjcg6C6w2SkNwQkwL7/n8NumXx604I6Mvr4TrYpE DMTA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712241788; x=1712846588; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=M57rHEWVRd7UWg7xEtEr1yUQqiCGztIc+XkLpA0/2KI=; b=GDBxpzTH3aHLsNgj8XjEt+2cnH6ZxtGnEBnqFokJzoCUDpyllk4iIFivH4CVVV/rjo SICyqySzYpklN8UYMkTBC57YCeIawLHyYAleFhhSYUE8EXVosJja3YZX2HBYu9WT/eSn UCL1cqBIepth1WsOk+TY8krcH0vlx3He/MCELlrpe0Nz4j8+PWi0K6sgC1kPVbvoTV9+ AkTOlevVmwDivtEZDUxPZy+moDBVgOxLYFEHf+6UJLrHlAAR7P2EWK5mrYiktDz2pvi2 Ty66kJhdV+tcheKyAD+sbjqVg+0XoNRjgavIufHCwr9OfdDk2lTue0QBh50kPs8XX3FO EtMg==
X-Gm-Message-State: AOJu0YwLYPAu+bRUqeMRjCDBMV/5qoj8p6gSque8mWmQTspv34XqXL8y F4hSUTpA6HzETOQBMxminpCHAdP+Z2qMjP7WXp4a/YgfjMlySh5lN5vEwtSdUeVHQOj5sbNjot4 ITpCQUAK69y5cnZXNuB0qRjIk5No=
X-Google-Smtp-Source: AGHT+IErevX9d18+DCnyPRqOopJBtBshuELzlIRs42ZrgBDyvEXp83VFCyvY58NpU6qwgCLJeRW1xop8cBdyHXBwnT8=
X-Received: by 2002:a17:906:6d08:b0:a4e:a50e:b5d0 with SMTP id m8-20020a1709066d0800b00a4ea50eb5d0mr1874931ejr.66.1712241788153; Thu, 04 Apr 2024 07:43:08 -0700 (PDT)
MIME-Version: 1.0
References: <CAJV+MGyYYG3cP7gbDnEm2xMFrQ-4X=2HhbObstJhs0LOeWpQLQ@mail.gmail.com> <CALGR9ob_a5u15crRQ7MaRmgaE=NUN1c_YLMxAp3-LL4x3MPqfA@mail.gmail.com>
In-Reply-To: <CALGR9ob_a5u15crRQ7MaRmgaE=NUN1c_YLMxAp3-LL4x3MPqfA@mail.gmail.com>
From: Patrick Meenan <patmeenan@gmail.com>
Date: Thu, 04 Apr 2024 10:42:56 -0400
Message-ID: <CAJV+MGzJk9Zu=JuVioYt75YhxvLK8bs=EhT2-TnSqP5i+6mRJQ@mail.gmail.com>
To: Lucas Pardue <lucaspardue.24.7@gmail.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: multipart/alternative; boundary="0000000000008d78350615465b0c"
X-W3C-Hub-DKIM-Status: validation passed: (address=patmeenan@gmail.com domain=gmail.com), signature is good
X-W3C-Hub-Spam-Status: No, score=-5.1
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, DMARC_PASS=-0.001, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_DB=-1, W3C_WL=-1
X-W3C-Scan-Sig: pan.w3.org 1rsOJ6-006DSq-12 c5ee75f3bf650baf965f94abb9516773
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Content-Encoding and MITM devices
Archived-At: <https://www.w3.org/mid/CAJV+MGzJk9Zu=JuVioYt75YhxvLK8bs=EhT2-TnSqP5i+6mRJQ@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/51917
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/email/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
More inline... On Thu, Apr 4, 2024 at 10:24 AM Lucas Pardue <lucaspardue.24.7@gmail.com> wrote: > > On Thu, 4 Apr 2024, 14:20 Patrick Meenan, <patmeenan@gmail.com> wrote: > >> Longer-term it would be nice if we can find a way to keep the situation >> from getting worse (I don't want to end up in a place where we can only >> launch features and protocol changes to HTTP/3 connections to well-known >> trust roots). >> > > IIUC correctly, Chromium connection policy does not support MITM for > HTTP/3 unless there is an explicit list is passed in via a command line > option. In other words, blanket MITM QUlC is not supported and the browser > fails back to TCP-based HTTP. So the numbers you see are likely affected > by that policy. Just wanted to check if you'd factored that into the > analysis or not. > I can't speak to MITM HTTP/3 being safe or not, just that HTTP/3 from Chrome's current config was clean and HTTP/1.1 and HTTP/2 was fine when not MITM but had elevated errors when MITM. I was under the impression that enterprises generally block UDP 443 to force TCP that can be intercepted with existing equipment but I guess there could be HTTP/3 (well, QUIC specifically) interceptors as well. > >> - Should we start greasing existing HTTP header fields (or at least the >> content-encoding)? >> > > I think that depends on the failure types you are observing. Is the > intermediary erroring in the presence of a header field value, or because > of actual content negotiation? It can be hard to grease actual functional > code paths (in effect, it seems like you are already doing so in your > origin trial ;-) ) > For content-encoding specifically, would it be worth greasing different encoding types so the next time it is changed we can be sure that MITM software correctly modifies the accept-encoding to what they support rather than just adding support for each new encoding as it happens. > > - Should information about the trust root used for a connection be >> web-exposed, server-exposed or user-exposed? >> > > I suspect this might have some privacy implications. There was some > chatter in the last couple of years about how one of the resource/perf > timing APIs that exposes nextHopProtocol could reveal the presence of a > proxy and that it has privacy implications. > > There was also some chatter in the community about logging whether > connections had traversed some form of non-MITM proxy (e.g. whether video > had been played over something like private relay), targeted more at trying > to spot on aggregate whether performance characteristics were affected when > going direct vs proxied. > > I don't have a direct answer to your suggestion, other than there are > non-technical items to resolve before we might think about any solutions. > > Agreed that there are likely privacy/fingerprinting things to worry about here but there are probably privacy aspects on both sides of it (the connections not being e2e private on the network path). Granted, once someone has access to the end device, it can't be trusted so whatever installed the local trust root could also monitor by other means but it also feels a bit wrong to provide no indication of the potential for network intercept (maybe it's a product issue more than a protocol issue).
- Content-Encoding and MITM devices Patrick Meenan
- Re: Content-Encoding and MITM devices Patrick Meenan
- Re: Content-Encoding and MITM devices Lucas Pardue
- Re: Content-Encoding and MITM devices Lucas Pardue