Content-Encoding and MITM devices
Patrick Meenan <patmeenan@gmail.com> Thu, 04 April 2024 13:18 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=ietf.org@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A6E0C14F5EB for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 4 Apr 2024 06:18:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.85
X-Spam-Level:
X-Spam-Status: No, score=-7.85 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=w3.org header.b="aAEhpYfd"; dkim=pass (2048-bit key) header.d=w3.org header.b="k8acjyVF"; dkim=pass (2048-bit key) header.d=gmail.com header.b="QlUY8rJu"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MmIswDbellbw for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 4 Apr 2024 06:17:55 -0700 (PDT)
Received: from mab.w3.org (mab.w3.org [IPv6:2600:1f18:7d7a:2700:d091:4b25:8566:8113]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BEF35C14F6F1 for <httpbisa-archive-bis2Juki@ietf.org>; Thu, 4 Apr 2024 06:17:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=w3.org; s=s1; h=Subject:Content-Type:To:Message-ID:Date:From:MIME-Version:Cc:Reply-To :In-Reply-To:References; bh=ybbJy4JfvlKjWn/xbT5ORLS67kBpTHKQxvLkP4YEqoM=; b=a AEhpYfdTnTyhJ5+G9eMru9jfFJlL5L7N+Muz3lcQi6reBoZj4GDe1MWMimBfsiW6S2jzriguhtDHh H21hrMFA0ZMe2fd7Mpm7siClRFlDALzJAG7gW8ouk6wJlI3ohkA4ulHNvDhLiJksSn2CE4+9RZOyB fAqW2tSvtAG3a9+g994JUSDAPSwHPLNPcD1HqcEnmerxpDOpoz2I2Tc3Wu9HEASI4lfiG9a5kwMoC Ubwqcy8VtA6JemZFaivjB1VORuqOno47SvidrPI87ttMc/Z1hU+/CPJKcb89t+zsQ8tkJ/pqPCH25 XESb38fD39rhUXzp4VZ8U25QcK3bnMmeQ==;
Received: from lists by mab.w3.org with local (Exim 4.96) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1rsMxa-004iUL-0b for ietf-http-wg-dist@listhub.w3.org; Thu, 04 Apr 2024 13:16:54 +0000
Resent-Date: Thu, 04 Apr 2024 13:16:54 +0000
Resent-Message-Id: <E1rsMxa-004iUL-0b@mab.w3.org>
Received: from ip-10-0-0-144.ec2.internal ([10.0.0.144] helo=pan.w3.org) by mab.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from <patmeenan@gmail.com>) id 1rsMxY-004iTM-2g for ietf-http-wg@listhub.w3.org; Thu, 04 Apr 2024 13:16:52 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=w3.org; s=s1; h=Content-Type:To:Subject:Message-ID:Date:From:MIME-Version:Cc:Reply-To :In-Reply-To:References; bh=ybbJy4JfvlKjWn/xbT5ORLS67kBpTHKQxvLkP4YEqoM=; t=1712236612; x=1713100612; b=k8acjyVFHF6DToefMU9RwkM94SC6O/2lbuM5FMivGxDFYHi 7FIccq2ibcH4ScG/NTroK0rMCK5TfdyAUXU0O/nPy+hn3XFcp2THRJrdnXplCDoeTi71dugn3gHdn Oz0AuhQ7ifZokRPxQSCogpGXdTMUukwgeZ4W5GKtZbSVXdK2nj+WOqlU8Y1Ou84H7zf8uNSN8hDj6 /ZQ5PdKHe3/NEyuKJSUN0SRV1uihrpgVWgbEN0oF5RTlz1Y+thz1MJspGfMOnTj7e5Yt2bCYZKCV/ uRgcoHi+gkj9cXYg40hY3II58KF7AZ7Tha20CEYCQZoNSnPbdjN46+2PFJDmb1VA==;
Received-SPF: pass (pan.w3.org: domain of gmail.com designates 2a00:1450:4864:20::532 as permitted sender) client-ip=2a00:1450:4864:20::532; envelope-from=patmeenan@gmail.com; helo=mail-ed1-x532.google.com;
Received: from mail-ed1-x532.google.com ([2a00:1450:4864:20::532]) by pan.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from <patmeenan@gmail.com>) id 1rsMxX-006B2B-0I for ietf-http-wg@w3.org; Thu, 04 Apr 2024 13:16:52 +0000
Received: by mail-ed1-x532.google.com with SMTP id 4fb4d7f45d1cf-56df87057bbso882900a12.3 for <ietf-http-wg@w3.org>; Thu, 04 Apr 2024 06:16:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1712236607; x=1712841407; darn=w3.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=ybbJy4JfvlKjWn/xbT5ORLS67kBpTHKQxvLkP4YEqoM=; b=QlUY8rJuG1PNz8QknAfXM80sn8A7+B5YrVyE+xBc9Rr3/8Fr9uHasuNambImtE1mSn IbX0EvHzJ3iEpnPzRD53WjgN/RtJA2qJ2nXcTXOsqcdGNd8Ag+yuJ5GJHlr/dqMYT09w WCM4/77d/oqPw9SNBCqTLxooxJx2O9DDvNLpDT+tTTtvWwcPy9wQ/SSvbsN68w7Z7do3 /vYEsQ5TCbIIUdKEY2dLmaP6VsXLHn9+Witch98B3lVCgZI93l6Pu2MFNey8qpu7HIUf QXmA5BChx6A4KeTZAlEyiGksdEQTKmP8VX7+ZKON6x+UASQxAF570P6EKbN8XZgFAfzS 9D1g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712236607; x=1712841407; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=ybbJy4JfvlKjWn/xbT5ORLS67kBpTHKQxvLkP4YEqoM=; b=VpNWzW7JknYcsBALHm+BcIhW/tM2bvGg+w0pNrnGFQ3xfp6l6SimZa6Xb3mjXXgO6A ijKoacW0Mch3Lr+QHZyhQcz6OSxDG6m3UtZBbji2vZKpIyiT34r3TaOLZ8kBLyb6LEDa sJzHF+2f8IWqW5PoPlREq/+xhK0xkl7ZFZSVMjj4Q9zrbi/b5ICaGGLa5Ef+7gW73Afa oTGT6aj/+q+d+jDYs2d2leXuoo+cbh9a/KYAutl6bHMpBo4kMxUPveflD28b+gCA6buE ZWMBR/V/AF8UwFSi/0XkxFCTPvOIvFfvMQI+vziI/Mgz2kyBW8lPQlv5bxt5ewDY9x8c kR1w==
X-Gm-Message-State: AOJu0YxTlCaAom2SUpIdWjwHgui5Bmcpqk1OISVhcAbuGRkzWCyW7eER wfhslNZGtkB+7oU5EjsklYrGd2CBrtZKIAv+SAOi9GLuddpwsyjsZ31vo9fC8JbHSWyJupgVnno BzfHjXPqtUd6EseAzXUtg4M0R8LxhA8Zt4+U=
X-Google-Smtp-Source: AGHT+IG15b24wwhJGR8L50YLcJKJOnCFwRtmQi7omqUREkKE0m+hMig8ZkFv1n7gVqyR7m5HP7C8m5GCItT68mTzzCc=
X-Received: by 2002:a50:99d9:0:b0:568:d5e7:37a1 with SMTP id n25-20020a5099d9000000b00568d5e737a1mr1451551edb.36.1712236606513; Thu, 04 Apr 2024 06:16:46 -0700 (PDT)
MIME-Version: 1.0
From: Patrick Meenan <patmeenan@gmail.com>
Date: Thu, 04 Apr 2024 09:16:35 -0400
Message-ID: <CAJV+MGyYYG3cP7gbDnEm2xMFrQ-4X=2HhbObstJhs0LOeWpQLQ@mail.gmail.com>
To: HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: multipart/alternative; boundary="000000000000b3f1390615452647"
X-W3C-Hub-DKIM-Status: validation passed: (address=patmeenan@gmail.com domain=gmail.com), signature is good
X-W3C-Hub-Spam-Status: No, score=-5.1
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, DMARC_PASS=-0.001, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_DB=-1, W3C_WL=-1
X-W3C-Scan-Sig: pan.w3.org 1rsMxX-006B2B-0I d33dee7937aae11f3ac3f11f751122b0
X-Original-To: ietf-http-wg@w3.org
Subject: Content-Encoding and MITM devices
Archived-At: <https://www.w3.org/mid/CAJV+MGyYYG3cP7gbDnEm2xMFrQ-4X=2HhbObstJhs0LOeWpQLQ@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/51914
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/email/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
As part of Chrome's origin trial for compression dictionaries (which is enabled over secure-contexts only), we are seeing elevated connection issues on HTTP/1.1 and HTTP/2 but not HTTP/3. It's visible from both Chrome and from some of the origin trial participants, seeing elevated failures. From Chrome's side, it looks to be limited to cases where the connection certificate is not anchored to a well-known trust root (i.e. likely a MITM proxy using a local trust root). This seems to match what Edge was seeing with the zsdch deployment: https://techcommunity.microsoft.com/t5/discussions/edge-and-bing-search-zsdch-encoding-why-is-it-being-used/m-p/3881170/thread-id/60032 We were hopeful that the work to launch brotli had cleaned up a bunch of the MITM issues but it looks like they are an ongoing problem for content-encoding. For any launch with Chrome, we will figure out how to do it as cleanly as possible (enterprise policy, tie the feature to a version release, etc) but if you know of anyone responsible for a MITM proxy/firewall that might be affected, it would be worthwhile to give them a heads-up that it is coming. Longer-term it would be nice if we can find a way to keep the situation from getting worse (I don't want to end up in a place where we can only launch features and protocol changes to HTTP/3 connections to well-known trust roots). Some thoughts: - Should we start greasing existing HTTP header fields (or at least the content-encoding)? - Should information about the trust root used for a connection be web-exposed, server-exposed or user-exposed?
- Content-Encoding and MITM devices Patrick Meenan
- Re: Content-Encoding and MITM devices Patrick Meenan
- Re: Content-Encoding and MITM devices Lucas Pardue
- Re: Content-Encoding and MITM devices Lucas Pardue