Re: [Masque] MASQUE detection through tracking trackers

Ted Hardie <> Tue, 05 November 2019 18:13 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C1DAA120058 for <>; Tue, 5 Nov 2019 10:13:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id LRlbnbMlgDAh for <>; Tue, 5 Nov 2019 10:13:39 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4864:20::12f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 8753D12001A for <>; Tue, 5 Nov 2019 10:13:39 -0800 (PST)
Received: by with SMTP id r9so2422982ilq.10 for <>; Tue, 05 Nov 2019 10:13:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=X52UPwnFkU5COFI91xVDzRmZn8BdjLyUyLwZqSKebYM=; b=IlDIEVm11nC7vKXK7QH0qdJ8OFRaajUqNyJj5feKD9eTYf/lW+45xupBm5Fbh83tnm lZXM7ZLYKD1wHs0Cqa2WD2IWp49U+AzjI7FFE04kh+8ZAhfiPpXg2bhrg/kktOP81ssn 9okO4+yYgHJbI01xX9zJiwyBOO30VkGbsgBSHzj+PbDgo2gqCJDW7HSIzCLtTB7RyhdG S9Z7EX17u1t0WaXyBC6ZCOkYPm3SX5LiAHG7NIcZfwE8FRewDRYHzMJDvhk+O84y+7dD ytcLTPRlsOGpl1snZXZlAN4rlGAhM9aLnNFnwyOcJijfhss+54L7vRt+V2Lo8rcon5U+ 80Jg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=X52UPwnFkU5COFI91xVDzRmZn8BdjLyUyLwZqSKebYM=; b=kCMsegbe4r455HKk36bIfx15IBUJAhuCY00ZQiF+VQRugwb4lBYJd04VdxHyy9tKPs LUf0ZMBViWOiGTiZT3x837XavTS1y5LiNdoHfdWnMSNNRqa2lKKYztXELTk64gcV8SyV iPxlKWf52cnvN7nl3IElnhTs8hPUonQO6bFx5vIo9N82VkCr0S9n3bhz6yH2d1EXZYLn hNcIqAWfiTWClhgos6Fo483E47I0TqXgEp86iSEWzt7UG5pIcEARp6JUw0kYP5O8L+tJ u7nyHOIMxZyLTTgl5rLSE4T8HQ8NpmZ+DeGbOJKDKs/KiVtgU8W1TJhvRB9by6xB8N2r cMgg==
X-Gm-Message-State: APjAAAXcVS15zBvVruu80BbkMgi3ShyHZUBtfJORB9UWe98F/Wf8tSTh pvXQAF9/Ez5rHzkGm4atOdU42+6BkdajwRXbzdI=
X-Google-Smtp-Source: APXvYqyIhgDhlvx94RxyOK8b3jb/ARlDoFkNB9J+DQCSq2quNtq4st8AaALYEs4KhvthYeJK76b6L9Z7dE5QywFXdk0=
X-Received: by 2002:a92:c10f:: with SMTP id p15mr9989622ile.119.1572977618527; Tue, 05 Nov 2019 10:13:38 -0800 (PST)
MIME-Version: 1.0
References: <> <> <>
In-Reply-To: <>
From: Ted Hardie <>
Date: Tue, 5 Nov 2019 10:13:11 -0800
Message-ID: <>
To: =?UTF-8?Q?T=C3=B6ma_Gavrichenkov?= <>
Content-Type: multipart/alternative; boundary="000000000000312c2005969d6473"
Archived-At: <>
Subject: Re: [Masque] MASQUE detection through tracking trackers
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Multiplexed Application Substrate over QUIC Encryption <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 05 Nov 2019 18:13:42 -0000

Hi Töma,

Replies in-line.
On Tue, Nov 5, 2019 at 9:31 AM Töma Gavrichenkov <> wrote:

> Peace,
> On Tue, Nov 5, 2019, 8:15 PM Ted Hardie <> wrote:
>> You included HTTP(S) in the "redirect to a web page" here, but it's not
>> clear why the client connection would continue far enough to display a web
>> page
> No, obviously, this is a captive portal story.  Every page would just
> display a TLS error, so the user would have to click through it at some
> point to regain access.
> Okay, so any system not configured to allow that just hard fails.

>>> Any idea if this is being sold/deployed in Europe?  Because it looks
>> like it amounts to "you must disclose your data to 3rd party trackers" to
>> access unrelated resources.
> I can't say I'm following your point.
> Anyhow, the customer base is mostly out of the EU I believe.  Why?
>  I'm hardly a GDPR expert
> Me too, but I don't see any issues with GDPR.  The vendor does not own a
> Web tracker, they only track existing ones.
> Again, I am not expert here, so my presumption may well be wrong.  But if
I understand the system correctly, a client which does not consent to using
the trackers (like the NoScript user) is prevented from accessing
anything.  The network deploying the device thus seems to be requiring
disclosure of information to use its service, even though what it is
collecting is signal from the data rather than the data itself.

The regulations require that when "data is collected, data subjects must be
clearly informed <> about the
extent of data collection, the legal basis for processing of personal data,
how long data is retained, if data is being transferred to a third-party
and/or outside the EU, and any automated decision-making that is made on a
solely algorithmic <> basis." (from
Wikipedia's summary)  This would seem to run into those requirements (data
collection, 3rd party, algorithmic basis), hence the question about whether
it was sold in Europe.

Interesting that it is mostly EU customers.

>> From section 7.1:
> Yup, have read it.  PADDING frames won't help here.  A tracker may even
> not be running over QUIC.  I, for one, have no idea when e.g. NewRelic is
> going to adopt it.

Agreed; I cited it only to point out that it is currently out of scope.
Traffic analysis that includes non-QUIC traffic would be particularly hard
to address in the document anyway.

Thanks again for sending the information,