IETF Logo Mail Archive

Re: Content-Encoding and MITM devices

Lucas Pardue <lucaspardue.24.7@gmail.com> Thu, 04 April 2024 14:25 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=ietf.org@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3472DC15109E for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 4 Apr 2024 07:25:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.85
X-Spam-Level:
X-Spam-Status: No, score=-2.85 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=w3.org header.b="ONTDZ6bk"; dkim=pass (2048-bit key) header.d=w3.org header.b="WWJrhmP9"; dkim=pass (2048-bit key) header.d=gmail.com header.b="I9miBwUJ"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KuDeQS9qvqQ4 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 4 Apr 2024 07:25:43 -0700 (PDT)
Received: from mab.w3.org (mab.w3.org [IPv6:2600:1f18:7d7a:2700:d091:4b25:8566:8113]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 50953C14F683 for <httpbisa-archive-bis2Juki@ietf.org>; Thu, 4 Apr 2024 07:25:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=w3.org; s=s1; h=Subject:Content-Type:Cc:To:Message-ID:Date:From:In-Reply-To: References:MIME-Version:Reply-To; bh=WCiR60DkLvtfKldeJsDHRsEic4IlgHOvLIvFLUi7xqo=; b=ONTDZ6bkiGp0U2WwROm0srzldx JYlnLnkKi3/nvrpt9mdVeg/gQJMMa1vLQ3YKfdR9zgtcFYUOzOdXqy4ZCXKSoShMv88DTAU60VnmU lpioCcGbl1dYJ/Akz6xT4dvHHBfbuHQD59ou1+m5nPCVGcEHgKTd/MsCljy7ccrCD/+orjIwWAldT q95ozbd6mjpwiyO3U9dPkKkgdVIqHMSeuF3VDhDQfx/SLP1nToRSf37XYMY5MNqNBpZgU0IAZFIpM gpheZnJ5kcC++fK/Nh75nlMvKXY+ndOTreZgI9jdjgvk130oZ72tYq5Fujew1437IwK/Lnz2AUhdo BOSaydVQ==;
Received: from lists by mab.w3.org with local (Exim 4.96) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1rsO1P-0050gR-2Q for ietf-http-wg-dist@listhub.w3.org; Thu, 04 Apr 2024 14:24:55 +0000
Resent-Date: Thu, 04 Apr 2024 14:24:55 +0000
Resent-Message-Id: <E1rsO1P-0050gR-2Q@mab.w3.org>
Received: from ip-10-0-0-144.ec2.internal ([10.0.0.144] helo=pan.w3.org) by mab.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from <lucaspardue.24.7@gmail.com>) id 1rsO1O-0050fQ-1W for ietf-http-wg@listhub.w3.org; Thu, 04 Apr 2024 14:24:54 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=w3.org; s=s1; h=Content-Type:Cc:To:Subject:Message-ID:Date:From:In-Reply-To: References:MIME-Version:Reply-To; bh=WCiR60DkLvtfKldeJsDHRsEic4IlgHOvLIvFLUi7xqo=; t=1712240694; x=1713104694; b=WWJrhmP9J6Qk8IUfUVOFc7lymSJrOhgtWzaCdi0c7VBxj9doov4+yPLJwSdTruGRCtZtPaxce3E U26SRF2yBBJPLhH8WkZCNgrEkXJR1PXC6M03VVaYeEDMP1edOIysDqQ1JIA/3+CfXBuMfq8Mwpza5 X1ltmwYsDuA7Zdc1NsViGjpPjoH9PBlMdSXVXb082DOHGRtk3Z8A3z4rR29cDt4NbVsoIkhf5o8Lm RmzKWDfMaY/TjDK2xg1cD80x1PqvJvQ3Bp5jNzxIllZJh5A3uh8ugwAR+LX3rM2bJhQa32IaLoO4t OF95fKN9+YrkR1EozPmp9tNhEOvqTjhSWpiw==;
Received-SPF: pass (pan.w3.org: domain of gmail.com designates 2001:4860:4864:20::30 as permitted sender) client-ip=2001:4860:4864:20::30; envelope-from=lucaspardue.24.7@gmail.com; helo=mail-oa1-x30.google.com;
Received: from mail-oa1-x30.google.com ([2001:4860:4864:20::30]) by pan.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from <lucaspardue.24.7@gmail.com>) id 1rsO1N-006D9H-2f for ietf-http-wg@w3.org; Thu, 04 Apr 2024 14:24:54 +0000
Received: by mail-oa1-x30.google.com with SMTP id 586e51a60fabf-22e78e78ccdso507573fac.2 for <ietf-http-wg@w3.org>; Thu, 04 Apr 2024 07:24:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1712240690; x=1712845490; darn=w3.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=WCiR60DkLvtfKldeJsDHRsEic4IlgHOvLIvFLUi7xqo=; b=I9miBwUJDivNaTX0XqQtzIXZLol+bGnxSDFtnCtqrOUa6kViClu0w8fGZ2STzT7SQ4 AObhZkVY6apawkJRhZx7LxOhHidshbkDmq1pt7P04yQTKOzrMrijlDn411APC3FPidH3 wQflPRzMmX1WnuKD1HMmYZwtQCiVtqfcHXtpDe6Fggbure2cLXdPEjbWMxouBFxHuHiK pd8xFLjA2cOPJpEZw9wVarvQNPWwNU00RpEWDbPWrug3ejWYjEKoL5Wx5wryAtFlTL0y LK3VpWnKqy410LgQt03xH1W4eNLumDDoPb6ZT1JOOAT2ZKLejI6bMjb+XaH4AeQUgmzD cOuQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712240690; x=1712845490; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=WCiR60DkLvtfKldeJsDHRsEic4IlgHOvLIvFLUi7xqo=; b=LArL6LyvxfoIDBjuC2hOiyOuuLqXmsRGdX35yjiOD6mYiZRT6tD/Jbhhd3RcbUT5k6 CEBKgPRkp7abiRnFD7Yktt7NaA3iojf6aZfo9ktIhphe8auIlpxNtnGtExxB1jutQTqf oZkQssJvZF+v+MakQLq5vpNLOppjqLbn6PHGVpU6sOowtlknF08koNgZwziuADOsk2vc Rh4agvfNnZZWzrcMJzwCRWrGMswBCx/lPsJCMKTIbmm/Trz5MxvPA2IHzQ/hQmk9/hQ9 Lk3ZZ4o8vS4Px5sMhcQ7P3NK7BvxgAg7JTveKIGdeYnL1OnK5mdWNC13wkTwnry7sa7l TC1A==
X-Gm-Message-State: AOJu0YzTmp6S2zu72ORN8RVyvQ3IIhe0r9oX/MLUei3N40z2HT9sFQ0x /kjBuKMPYyBnp/s+EsvLg4Xm8NkzCXPP7UL5J/TjRr9Jbkth9gaNqzIF/VvnMadJPKzV/5MI//2 Dwyw4YrCO0Kkfh4u7QROsy3miNlb9ngG0Bn0=
X-Google-Smtp-Source: AGHT+IE8WXTJB4+Ya5FVjROKgbXIkSjj57jFoZ+ahmSmPbuKRDbX+FDQr8Veo62f3rpehlfJUtWy3MTgFlVfayPEs6A=
X-Received: by 2002:a05:6871:6a7:b0:22d:f83e:1971 with SMTP id l39-20020a05687106a700b0022df83e1971mr2763587oao.48.1712240690202; Thu, 04 Apr 2024 07:24:50 -0700 (PDT)
MIME-Version: 1.0
References: <CAJV+MGyYYG3cP7gbDnEm2xMFrQ-4X=2HhbObstJhs0LOeWpQLQ@mail.gmail.com>
In-Reply-To: <CAJV+MGyYYG3cP7gbDnEm2xMFrQ-4X=2HhbObstJhs0LOeWpQLQ@mail.gmail.com>
From: Lucas Pardue <lucaspardue.24.7@gmail.com>
Date: Thu, 04 Apr 2024 15:24:34 +0100
Message-ID: <CALGR9ob_a5u15crRQ7MaRmgaE=NUN1c_YLMxAp3-LL4x3MPqfA@mail.gmail.com>
To: Patrick Meenan <patmeenan@gmail.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: multipart/alternative; boundary="0000000000001c13550615461a0c"
X-W3C-Hub-DKIM-Status: validation passed: (address=lucaspardue.24.7@gmail.com domain=gmail.com), signature is good
X-W3C-Hub-Spam-Status: No, score=-4.8
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, DMARC_PASS=-0.001, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: pan.w3.org 1rsO1N-006D9H-2f 2a4cc5e4fd1b77110377d7952ae6358a
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Content-Encoding and MITM devices
Archived-At: <https://www.w3.org/mid/CALGR9ob_a5u15crRQ7MaRmgaE=NUN1c_YLMxAp3-LL4x3MPqfA@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/51916
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/email/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Hi Pat,

Responding to some points in line:


On Thu, 4 Apr 2024, 14:20 Patrick Meenan, <patmeenan@gmail.com> wrote:

> As part of Chrome's origin trial for compression dictionaries (which is
> enabled over secure-contexts only), we are seeing elevated connection
> issues on HTTP/1.1 and HTTP/2 but not HTTP/3.
>
> It's visible from both Chrome and from some of the origin trial
> participants, seeing elevated failures. From Chrome's side, it looks to be
> limited to cases where the connection certificate is not anchored to a
> well-known trust root (i.e. likely a MITM proxy using a local trust root).
>
> This seems to match what Edge was seeing with the zsdch deployment:
> https://techcommunity.microsoft.com/t5/discussions/edge-and-bing-search-zsdch-encoding-why-is-it-being-used/m-p/3881170/thread-id/60032
>
> We were hopeful that the work to launch brotli had cleaned up a bunch of
> the MITM issues but it looks like they are an ongoing problem for
> content-encoding.
>
> For any launch with Chrome, we will figure out how to do it as cleanly as
> possible (enterprise policy, tie the feature to a version release, etc) but
> if you know of anyone responsible for a MITM proxy/firewall that might be
> affected, it would be worthwhile to give them a heads-up that it is coming.
>
> Longer-term it would be nice if we can find a way to keep the situation
> from getting worse (I don't want to end up in a place where we can only
> launch features and protocol changes to HTTP/3 connections to well-known
> trust roots).
>

IIUC correctly, Chromium connection policy does not support MITM for HTTP/3
unless there is an explicit list is passed in via a command line option. In
other words, blanket MITM QUlC is not supported and the browser fails back
to TCP-based HTTP.  So the numbers you see are likely affected by that
policy. Just wanted to check if you'd factored that into the analysis or
not.

Other browsers or user agents that don't implement such a policy would, I
suspect, see equivalent error rates across H2 and H3 MITM'd connections.


> Some thoughts:
>
> - Should we start greasing existing HTTP header fields (or at least the
> content-encoding)?
>

I think that depends on the failure types you are observing. Is the
intermediary erroring in the presence of a header field value, or because
of actual content negotiation? It can be hard to grease actual functional
code paths (in effect, it seems like you are already doing so in your
origin trial ;-) )

- Should information about the trust root used for a connection be
> web-exposed, server-exposed or user-exposed?
>

I suspect this might have some privacy implications. There was some chatter
in the last couple of years about how one of the resource/perf timing APIs
that exposes nextHopProtocol could reveal the presence of a proxy and that
it has privacy implications.

There was also some chatter in the community about logging whether
connections had traversed some form of non-MITM proxy (e.g. whether video
had been played over something like private relay), targeted more at trying
to spot on aggregate whether performance characteristics were affected when
going direct vs proxied.

I don't have a direct answer to your suggestion, other than there are
non-technical items to resolve before we might think about any solutions.

Cheers
Lucas

>

v2.23.0 | Report a Bug | By Email