Re: HTTP/2 and Pervasive Monitoring

Amos Jeffries <squid3@treenet.co.nz> Fri, 15 August 2014 05:58 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8835C1A077E for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 14 Aug 2014 22:58:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.57
X-Spam-Level:
X-Spam-Status: No, score=-7.57 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.668, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3cgemWHoXNyW for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 14 Aug 2014 22:58:00 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8CB9A1A0687 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Thu, 14 Aug 2014 22:57:59 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1XIATC-0008IT-EY for ietf-http-wg-dist@listhub.w3.org; Fri, 15 Aug 2014 05:54:34 +0000
Resent-Date: Fri, 15 Aug 2014 05:54:34 +0000
Resent-Message-Id: <E1XIATC-0008IT-EY@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <squid3@treenet.co.nz>) id 1XIASk-0008Hc-Bn for ietf-http-wg@listhub.w3.org; Fri, 15 Aug 2014 05:54:06 +0000
Received: from 121-99-228-82.static.orcon.net.nz ([121.99.228.82] helo=treenet.co.nz) by lisa.w3.org with esmtp (Exim 4.72) (envelope-from <squid3@treenet.co.nz>) id 1XIASg-0001QL-Rv for ietf-http-wg@w3.org; Fri, 15 Aug 2014 05:54:06 +0000
Received: from [192.168.2.97] (unknown [203.184.52.78]) by treenet.co.nz (Postfix) with ESMTP id 938BCE6A47 for <ietf-http-wg@w3.org>; Fri, 15 Aug 2014 17:53:30 +1200 (NZST)
Message-ID: <53EDA052.9050808@treenet.co.nz>
Date: Fri, 15 Aug 2014 17:53:22 +1200
From: Amos Jeffries <squid3@treenet.co.nz>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: ietf-http-wg@w3.org
References: <38BD57DB-98A9-4282-82DD-BB89F11F7C84@mnot.net>
In-Reply-To: <38BD57DB-98A9-4282-82DD-BB89F11F7C84@mnot.net>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Received-SPF: pass client-ip=121.99.228.82; envelope-from=squid3@treenet.co.nz; helo=treenet.co.nz
X-W3C-Hub-Spam-Status: No, score=-3.5
X-W3C-Hub-Spam-Report: AWL=-3.449, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, TVD_RCVD_IP=0.001
X-W3C-Scan-Sig: lisa.w3.org 1XIASg-0001QL-Rv adf6abf3790ec082da9c143bd23b8476
X-Original-To: ietf-http-wg@w3.org
Subject: Re: HTTP/2 and Pervasive Monitoring
Archived-At: <http://www.w3.org/mid/53EDA052.9050808@treenet.co.nz>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/26605
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On 15/08/2014 2:58 p.m., Mark Nottingham wrote:
> I've had a few questions off-list about our stance regarding BCP188 <http://tools.ietf.org/html/bcp188> and HTTP/2, and want to make sure that the WG position is clear going into IETF LC.
> 
> The most relevant text in 188 is:
> 
>>    It is therefore timely to revisit the security and privacy properties
>>    of our standards.  The IETF will work to mitigate the technical
>>    aspects of PM, just as we do for protocol vulnerabilities in general.
>>    The ways in which IETF protocols mitigate PM will change over time as
>>    mitigation and attack techniques evolve and so are not described
>>    here.
>>
>>    Those developing IETF specifications need to be able to describe how
>>    they have considered PM, and, if the attack is relevant to the work
>>    to be published, be able to justify related design decisions.  This
>>    does not mean a new "pervasive monitoring considerations" section is
>>    needed in IETF documentation.  It means that, if asked, there needs
>>    to be a good answer to the question "Is pervasive monitoring relevant
>>    to this work and if so, how has it been considered?"
> 
> It's safe to say that pervasive monitoring is very relevant to HTTP.
> 
> We've had an extensive discussion regarding PM, most occurring during and between the August 2013 (Berlin) and January 2014 (Zurich) meetings. 
> 
> One proposal we considered was to require the use of TLS (through https:// URIs) for HTTP/2. However, some members of the community pushed back against this, on the grounds that it would be too onerous for some uses of HTTP (not necessarily CPU; cost and administration of certificates was cited as a burden, as was the follow-on disruption to applications, since transitioning from HTTP to HTTPS often requires non-trivial content changes, due to the way that the browser security model works).
> 
> We also discussed an "Opportunistic Security" approach to using TLS for http:// URIs (but without authentication). This was a bit controversial too, as some community members felt that having another, weaker kind of security defined harms the long-term deployment of "full" TLS. 
> 
> After discussion in June 2014 (New York), however, we agreed to adopt this document as an optional extension, but only with Experimental status: <http://httpwg.github.io/http-extensions/encryption.html>. It's expected that we'll ship it shortly after HTTP/2.
> 
> I would characterise the WG a having a somewhat uneasy (but also pragmatic) consensus on this outcome. 

Nod.

> 
> To date, we've had one browser implementation express an intent to requiring https:// URLs for HTTP/2, one interested in https:// as well as Opportunistic Security for http:// URLs, and one that is interested in https:// as well as cleartext http://.
> 
> Note that most of the justification for our decision not to require https:// for HTTP/2 seems to be predicated on this part of our charter <http://datatracker.ietf.org/wg/httpbis/charter/>:
> 
> "The resulting specification(s) are expected to meet these goals for common existing deployments of HTTP[.]"
> 
> ... i.e., we're not able to argue that people who can't use https:// should just stay on HTTP/1.1. This charter text was written before BCP188 (and the incidents leading up to it), but has considerable support in the WG.
> 

While the particular trigger incident(s) for BCP188 had not occured. I
recall that (at least some of) the WG voting on charter was aware of PM
issue itself and earlier incidents of the same nature as leading to BCP188.
I am also confident that a solutino exists. We just have to agree on
what it looks like.

Amos

> 
> This is roughly what I intend to put in the Shepherd Writeup when we take it to the IESG, as of now (IETF LC may change things, of course). Does anyone have anything to add?
> 
> Regards,
> 
> --
> Mark Nottingham   https://www.mnot.net/
> 
>