Re: Proposed Statement on "HTTPS everywhere for the IETF"

Ted Lemon <Ted.Lemon@nominum.com> Thu, 04 June 2015 17:39 UTC

Return-Path: <Ted.Lemon@nominum.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 134651A6F33 for <ietf@ietfa.amsl.com>; Thu, 4 Jun 2015 10:39:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x-zeZVASADBQ for <ietf@ietfa.amsl.com>; Thu, 4 Jun 2015 10:39:24 -0700 (PDT)
Received: from sjc1-mx02-inside.nominum.com (sjc1-mx02-inside.nominum.com [64.89.234.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1E8621A6F30 for <ietf@ietf.org>; Thu, 4 Jun 2015 10:39:24 -0700 (PDT)
Received: from webmail.nominum.com (cas-04.win.nominum.com [64.89.235.67]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (Client CN "mail.nominum.com", Issuer "Go Daddy Secure Certificate Authority - G2" (verified OK)) by sjc1-mx02-inside.nominum.com (Postfix) with ESMTPS id 13239DA0077; Thu, 4 Jun 2015 17:39:24 +0000 (UTC)
Received: from [10.0.20.236] (71.233.43.215) by CAS-04.WIN.NOMINUM.COM (192.168.1.101) with Microsoft SMTP Server (TLS) id 14.3.224.2; Thu, 4 Jun 2015 10:39:23 -0700
References: <20150601164359.29999.35343.idtracker@ietfa.amsl.com> <0ab501d09e37$f4098980$dc1c9c80$@tndh.net> <556F6083.4080801@cs.tcd.ie> <0adf01d09e40$cf957b00$6ec07100$@tndh.net> <556F8339.5030002@cs.tcd.ie> <0b3901d09e73$7dad4740$7907d5c0$@tndh.net> <556FC594.1080900@gmail.com> <0b9001d09edc$63df32b0$2b9d9810$@tndh.net> <DA60EE0C-BC66-44E0-A00C-C9A96BA36DC6@cursive.net> <0bc201d09eea$c84782d0$58d68870$@tndh.net>
MIME-Version: 1.0 (1.0)
In-Reply-To: <0bc201d09eea$c84782d0$58d68870$@tndh.net>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Message-ID: <742103E1-7324-4340-96C2-72A16168FC7C@nominum.com>
X-Mailer: iPad Mail (12F69)
From: Ted Lemon <Ted.Lemon@nominum.com>
Subject: Re: Proposed Statement on "HTTPS everywhere for the IETF"
Date: Thu, 4 Jun 2015 13:39:22 -0400
To: Tony Hain <alh-ietf@tndh.net>
X-Originating-IP: [71.233.43.215]
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/NXdd0FBdIe0e_mcoTYvSFnByCgA>
Cc: Joe Hildebrand <hildjj@cursive.net>, "<ietf@ietf.org>" <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Jun 2015 17:39:25 -0000

On Jun 4, 2015, at 1:20 PM, Tony Hain <alh-ietf@tndh.net> wrote:
> The set of possible requests is inherently public information. Pairing a
> request length with the possible set of return lengths seriously reduces the
> set, and that is before you factor in who is being watched and what they
> might be looking for.

No.   RFC numbers are all the same length, except for the very early ones.   Plus, the headers in a request vary enough that it's unlikely that this attack would be as easy as you say; furthermore, https used for privacy is most effective at preventing passive attacks, and in this case the expense of doing the sort of analysis you are describing would be significant.