IETF Logo Mail Archive

Re: FYI: Oblivious HTTP

Martin Thomson <mt@lowentropy.net> Mon, 01 February 2021 00:30 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 090FA3A1477 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 31 Jan 2021 16:30:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.771
X-Spam-Level:
X-Spam-Status: No, score=-2.771 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b=P4pZP+Xa; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=VB00HMQ6
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XYiTo0uIh4ax for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 31 Jan 2021 16:30:01 -0800 (PST)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 729C53A1476 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Sun, 31 Jan 2021 16:30:01 -0800 (PST)
Received: from lists by lyra.w3.org with local (Exim 4.92) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1l6N66-00068l-3F for ietf-http-wg-dist@listhub.w3.org; Mon, 01 Feb 2021 00:29:42 +0000
Resent-Date: Mon, 01 Feb 2021 00:29:42 +0000
Resent-Message-Id: <E1l6N66-00068l-3F@lyra.w3.org>
Received: from mimas.w3.org ([128.30.52.79]) by lyra.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <mt@lowentropy.net>) id 1l6N65-000680-8v for ietf-http-wg@listhub.w3.org; Mon, 01 Feb 2021 00:29:41 +0000
Received: from out1-smtp.messagingengine.com ([66.111.4.25]) by mimas.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <mt@lowentropy.net>) id 1l6N63-0003gR-EG for ietf-http-wg@w3.org; Mon, 01 Feb 2021 00:29:41 +0000
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id B983D5C00C1 for <ietf-http-wg@w3.org>; Sun, 31 Jan 2021 19:29:28 -0500 (EST)
Received: from imap10 ([10.202.2.60]) by compute1.internal (MEProxy); Sun, 31 Jan 2021 19:29:28 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type; s=fm1; bh=lfGo4ZQIyoJ2mZK48SpgzPzrdhdiBb0 KSQqn0DMeURk=; b=P4pZP+XaJV4QX1zySeqUNZY3+xnuyqM0BeqSh8vXvHyEkxL Axg7Rjqd9gY5+yoRy1R/tAz/738G4IuwxmqaoUEV+1WL58UzpdjUIB9P/Txw1lar Y6pEQREURe9z8DyUeNjbRnNlgRVeD1wHe+uXXbrbyh7S8JxIQIiaxjKGdBGavZzm /C2AdWDS+t6rX4fAEo+BrGudzimJoPMjBGfr48rdlOREvlVcGyf1zC3Y3Fy8WqQz 73aQN/hJPiOitNcZZUT4sBflgLZAiaONsoPCEvpnFwDVkBP1CHsU2rQMvPvXlZ8t QNS+exp79hL+s0CnyzgAo1LgSWKb+Ys/SZMDTjA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=lfGo4Z QIyoJ2mZK48SpgzPzrdhdiBb0KSQqn0DMeURk=; b=VB00HMQ6p2bFSM5WMerUp+ 5jkAmajmdBHL4pUc6npvB1TCCm7D9Le8MvnLZz0IINtoQZuMwCMpLcAIR/RLcaqm sGqOpbccbFbWJvh3EmOIbR8uyZz0jnyVttRLzQU96EKxmSfOy0+7SdI9DoMqEVIO SMSXS0X5+iuyTkD9WBLxshlAY5jIaiXdB+ZL9ojZinYKQfmPopJ6zNSngrxynGIv 3ObAnQ4dheyVwpe9kNw8s30m6CJKQYYVwAUcy9SeEBi23EEBmX4j+rqiPuRBQU8B 0kVuunYOaB0jgBDHWEJ+PDg4Ydh6C/UZHHTA4BkHSsm8/td4Jzub7XVfJJAY38bg ==
X-ME-Sender: <xms:aEsXYGyky9fbR20DJXu0UHEm6o8fu0HMPj8MbCl4g22RbWzaqJXQwg> <xme:aEsXYCQm9FoR9Ot4BNp2ysctipbRUEUG0hksIuV8fpg_3laXxVfyZecEFTQdq3DDW rHyZ2QoytyAEqzMzOY>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrfeejgddvudcutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurhepofgfggfkjghffffhvffutgesthdtre dtreertdenucfhrhhomhepfdforghrthhinhcuvfhhohhmshhonhdfuceomhhtsehlohif vghnthhrohhphidrnhgvtheqnecuggftrfgrthhtvghrnheptdeghfekgeffhfetfeejke evfeetheehleegheehveelfeetfeeikeefgfejvdegnecuffhomhgrihhnpehgihhthhhu sgdrtghomhenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhroh hmpehmtheslhhofigvnhhtrhhophihrdhnvght
X-ME-Proxy: <xmx:aEsXYIXtyGx3mZyggZ-A4zMTwOJ-DeaNDJv7dP_gEyKe34PBl_rzNg> <xmx:aEsXYMgLcmhgDwExnYxp0Tv9DPz0dzp3pYNlBGJqVlUoZyTR0YrxWw> <xmx:aEsXYIB4yHcEYOOMslr_72AMbwB1COHKUWoyXmttwX94hP9pKcF5Bg> <xmx:aEsXYLOwS7BDkN63mQXkqge0_UbIB9d76z3CuShyCvayj88qyLQgtg>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 813194E0065; Sun, 31 Jan 2021 19:29:28 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.5.0-alpha0-84-gfc141fe8b8-fm-20210125.001-gfc141fe8
Mime-Version: 1.0
Message-Id: <0709f82d-150e-4423-8994-5a2549475ef4@www.fastmail.com>
In-Reply-To: <CAF8qwaCdK6zodL5QGmMSM4U80NdSiZ+KZ16-u2_SypiEo62Ocg@mail.gmail.com>
References: <ef91fafb-1586-4076-baa9-033326162eb1@www.fastmail.com> <776DC690-336A-4843-8EA1-DD5D426A0DD6@gbiv.com> <8bf39ffc-e6f8-4f0f-af2d-20e8eed154b9@www.fastmail.com> <CAF8qwaCdK6zodL5QGmMSM4U80NdSiZ+KZ16-u2_SypiEo62Ocg@mail.gmail.com>
Date: Mon, 01 Feb 2021 11:29:09 +1100
From: Martin Thomson <mt@lowentropy.net>
To: ietf-http-wg@w3.org
Content-Type: text/plain
Received-SPF: pass client-ip=66.111.4.25; envelope-from=mt@lowentropy.net; helo=out1-smtp.messagingengine.com
X-W3C-Hub-DKIM-Status: validation passed: (address=mt@lowentropy.net domain=lowentropy.net), signature is good
X-W3C-Hub-DKIM-Status: validation passed: (address=mt@lowentropy.net domain=messagingengine.com), signature is good
X-W3C-Hub-Spam-Status: No, score=-6.8
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1l6N63-0003gR-EG b97cd98242f60056a59f647200213618
X-Original-To: ietf-http-wg@w3.org
Subject: Re: FYI: Oblivious HTTP
Archived-At: <https://www.w3.org/mid/0709f82d-150e-4423-8994-5a2549475ef4@www.fastmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/38426
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Thanks David, these are all good points to capture.  I've flagged you on the issues I've created in response to these; though it will take a little bit of work to get this all written down.

For those following along at home: https://github.com/unicorn-wg/oblivious-http/issues

On Sat, Jan 30, 2021, at 12:08, David Benjamin wrote:
> On Thu, Jan 28, 2021 at 7:23 PM Martin Thomson <mt@lowentropy.net> wrote:
> > I think that it might be best to respond with a little more context on what I believe the potential application of oblivious HTTP would be.  The draft doesn't really go into that, because that isn't really a good place to capture these sorts of things.
> > 
> > Just to set this aside, I don't see this as building toward replicating something like Tor.  There are obvious parallels, but the two approaches have very different assumptions about trust and the incentives of various actors.  Tor, as a system, is also far more complex and ambitious.  So, by all means look for parallels in Tor, but understand that this has very different models for both the threats it considers and the environment it might be deployed in.
> > 
> > The other thing that I think is important to understand is that - at least from my perspective - the goal is not to carry any significant proportion of HTTP requests.  For instance, I don't see this being used for web browsing.  If we're willing to echo cookies, then you can safely assume that we won't be making those requests oblivious.  And many other cases benefit from being able to establish some sort of continuity, if only to deal with denial of service risks.  Each application would have to be assessed on its own.
> > 
> > The things that we're talking about using this are those cases where we have identified a privacy risk associated with having a server being able to link requests.  The original case in research was DNS queries, where it has been shown that building profiles of users based on their DNS activity has poor privacy properties.  At Mozilla, we're also considering this style of approach in other places that browsers make requests with information that might be sensitive, like telemetry reporting.
> > 
> > There are non-trivial costs associated with setting this up.  As a proxy needs to be run by a separate entity, but they don't see any direct benefit from the service they provide, you have to arrange for their costs to be met somehow.  You need to do so in a way that the server can ensure that the proxy is not enabling DoS attacks, while also retaining sufficient independence that clients can trust the proxy.  This is harder as the use cases become more general, but we believe that this can be arranged for certain specific cases.
> > 
> > Does the explanation about applicability help?  I realize now that I shouldn't have left this up to inference, and the draft should probably at least address the point directly, so I'll make sure that the next version does something about that.
> 
> I agree the draft should talk about this. I initially read it as 
> intending a general replacement for proxying strategies, which seemed 
> odd. As you note, in more stateful contexts like web browsing, the 
> correlation boundaries are so much larger than a request that this 
> probably doesn't buy much over simply partitioning connection pools. 
> Whereas I could see applications with more standalone requests wanting 
> different tradeoffs.
> 
> One comment on the privacy properties here: the requests are only as 
> uncorrelated as the key configurations used by the client. In the 
> online HTTPS fetch model described here, if each client independently 
> fetches, the server could maintain many configs and serve a different 
> one each time. I assume that the client will cache the key 
> configuration (otherwise it needs a new fetch per request, at which 
> point it may as well just tunnel HTTPS), which means clients can be 
> identified, or partially identified by their keys. This is helped a bit 
> by the small keyID size: the server gets 8 bits plus a couple more from 
> algorithm selections, and then the rest must come from trial 
> decryption. But how well this mitigates it depends on volume and 
> whether this could be combined with information in the requests 
> themselves. (E.g. telemetry reports may reveal platform information or 
> rough performance characteristics.) That's probably worth some text, 
> both on the privacy implications of the suggested configuration model, 
> and on privacy implications of configuration models in general.
> 
> Alternatively, the proxy could cache and serve the key configuration. 
> Then everyone behind the same proxy uses the same config. Though you'd 
> then need some kind of offline authentication on the config, such as 
> SXGs.
> 
> I think the draft should also discuss the security implications a bit 
> more, since it's replacing the guarantees you'd otherwise get from 
> proxying HTTPS. Some things that came to mind:
> 
> - Related to all the online vs offline signature excitement, the client 
> probably needs to enforce a time bound on key configurations, in order 
> to contain the effects of a temporary compromise.
> 
> - Like TLS 1.3 0-RTT, encapsulated requests don't have replay 
> protections and lack forward secrecy. This shouldn't be used where 
> replay protection matters, and key configurations should be rotated 
> frequently.
> 
> - Unlike TLS 1.3 0-RTT, encapsulated responses also lack forward 
> secrecy. (If it's an issue, I suppose you could fix this by doing a 
> second HPKE in the other direction and binding the two together.)
> 
> David

v2.23.0 | Report a Bug | By Email