Trust and provacy problems with draft-loreto-httpbis-explicitly-auth-proxy

Raphaël Durand <mail@raphaeldurand.fr> Mon, 05 May 2014 11:28 UTC

Return-Path: <mail@raphaeldurand.fr>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 34D9A1A02D9 for <ietf@ietfa.amsl.com>; Mon, 5 May 2014 04:28:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.3
X-Spam-Level:
X-Spam-Status: No, score=0.3 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ghQoOWmNPCR6 for <ietf@ietfa.amsl.com>; Mon, 5 May 2014 04:28:33 -0700 (PDT)
Received: from relay4-d.mail.gandi.net (relay4-d.mail.gandi.net [IPv6:2001:4b98:c:538::196]) by ietfa.amsl.com (Postfix) with ESMTP id 11EE31A02D2 for <ietf@ietf.org>; Mon, 5 May 2014 04:28:32 -0700 (PDT)
Received: from [IPv6:2a01:6600:8080:5600:d1c8:d497:b6f4:2a43] (unknown [IPv6:2a01:6600:8080:5600:d1c8:d497:b6f4:2a43]) (Authenticated sender: ipv6@ultrawaves.fr) by relay4-d.mail.gandi.net (Postfix) with ESMTPSA id 82726172090 for <ietf@ietf.org>; Mon, 5 May 2014 13:28:27 +0200 (CEST)
Message-ID: <536775D2.4090708@raphaeldurand.fr>
Date: Mon, 05 May 2014 13:28:18 +0200
From: =?ISO-8859-1?Q?Rapha=EBl_Durand?= <mail@raphaeldurand.fr>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.5.0
MIME-Version: 1.0
To: ietf@ietf.org
Subject: Trust and provacy problems with draft-loreto-httpbis-explicitly-auth-proxy
X-Enigmail-Version: 1.5.2
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="T82KFOUJbMUcvMoRKQAgjKhLUfQ8GqCbs"
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf/vAp2q8GGvr4Qh23EZJFyFC9nC8I
X-Mailman-Approved-At: Mon, 05 May 2014 08:13:37 -0700
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 May 2014 11:30:00 -0000

I've just read the draft draft-loreto-httpbis-explicitly-auth-proxy, and
I see a lot of trust and privacy problem in this "Explicit auth proxy".
https://datatracker.ietf.org/doc/draft-loreto-httpbis-explicitly-auth-proxy/?include_text=1

The first problem is in the "opt-out" section (3.3).
First, it has to be "opt-in" not "opt-out" (it's called an "explicit
auth proxy isn't it ?")
Second, in order to be efficent, a proxy have to be a bottleneck, so
user can't get around it.
How can you implement the 3.3 scheme ? Does the proxy becomes transparent ?
So if an user doesn't trust the proxy, hemust pass through anyway ?

The other problem concern the trust model using CA certificates as
described in the 3.1 section.
What sort of certificate need theses proxies ? Does they need a wildcard
for the entiere Internet ?
/
//"To ensure the trustfulness of proxies, certification authorities
validation procedure for issuing proxy certificates should be more
rigorous than for issuing normal certificates and may also include
technical details and processes relevant for the security assurance.//"/

No, public CA must not sign these certificates. Proxies certificates
must be signed by a local CA explicitly trusted by the user.
(here and only here must be the explicit agreement).

/"//6. Security Considerations//
//"Those resources are protected end-to- end between user agent and
origin server as usual."/

No they are not, there is a third-party proxy between them. The user do
not operate it, so he can't trust it.
/
//"Users should also be made aware that the proxy has visibility to the
actual content they exchange with Web servers, including personal and
sensitive information."/
That's the point, and that why HTTP2 must be flawless. Because the
average user is never aware of security concern, IETF standards and
softwares based on them must to be flawlessand uncompromising.

Such systems was deployed in Lybia and Syria to trap opponents and kill
them (or worse).We should not standardize a method used as a weapon of
war by some governments.
The strength of a chain depends on its weakest link, do not
intentionally add weak links as these proxies.
Such proxies must not exist.The end to end encryption must not be
intercepted or compromised.

Best regards.
Raphaël Durand.