IETF Logo Mail Archive

Re: [Model-t] draft-thomson-tmi

Christian Huitema <huitema@huitema.net> Wed, 22 July 2020 15:10 UTC

Return-Path: <huitema@huitema.net>
X-Original-To: model-t@ietfa.amsl.com
Delivered-To: model-t@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D2613A0882 for <model-t@ietfa.amsl.com>; Wed, 22 Jul 2020 08:10:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2OZ0_luszx6M for <model-t@ietfa.amsl.com>; Wed, 22 Jul 2020 08:10:46 -0700 (PDT)
Received: from mx43-out1.antispamcloud.com (mx43-out1.antispamcloud.com [138.201.61.189]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 04F853A086C for <model-t@iab.org>; Wed, 22 Jul 2020 08:10:44 -0700 (PDT)
Received: from xse198.mail2web.com ([66.113.196.198] helo=xse.mail2web.com) by mx128.antispamcloud.com with esmtp (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1jyGO2-000p2K-BP for model-t@iab.org; Wed, 22 Jul 2020 17:10:40 +0200
Received: from xsmtp22.mail2web.com (unknown [10.100.68.61]) by xse.mail2web.com (Postfix) with ESMTPS id 4BBf5y5j4Rz1wkL for <model-t@iab.org>; Wed, 22 Jul 2020 08:10:14 -0700 (PDT)
Received: from [10.5.2.14] (helo=xmail04.myhosting.com) by xsmtp22.mail2web.com with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1jyGNq-0001ui-Lm for model-t@iab.org; Wed, 22 Jul 2020 08:10:14 -0700
Received: (qmail 25295 invoked from network); 22 Jul 2020 15:10:14 -0000
Received: from unknown (HELO [192.168.1.107]) (Authenticated-user:_huitema@huitema.net@[172.58.43.134]) (envelope-sender <huitema@huitema.net>) by xmail04.myhosting.com (qmail-ldap-1.03) with ESMTPA for <model-t@iab.org>; 22 Jul 2020 15:10:14 -0000
To: Martin Thomson <mt@lowentropy.net>
Cc: model-t@iab.org
References: <422978b2-028d-48e1-85ed-ddaa36e36052@www.fastmail.com> <1164022876.4302.1594630518489@appsuite-gw2.open-xchange.com> <004e5fc9-e284-4c84-8a3c-7872ceb1d20b@www.fastmail.com> <a5838569-2b93-e982-1c9f-df773456c494@huitema.net> <CABcZeBOjcSJAt4G3q87ew3UNrLS2YkSN-+=TTUm6RVW22jfaLg@mail.gmail.com> <8d7b79d6-22f6-2212-d3c1-9b6580cea009@huitema.net> <825777D0-B098-466F-A832-BC7CAB01A9F9@kuehlewind.net> <012A2EDB-4F72-4FE3-8B43-08ACB858BF95@tzi.org> <CACsn0cnWy-mphcGBL3dhyshoFCTkbzp9=FERz27Xa3iozgK1qA@mail.gmail.com> <a1b1781d-e410-698a-51da-045d4451bb31@huitema.net> <51178433-702e-4185-8c13-b9fe420a6824@www.fastmail.com>
From: Christian Huitema <huitema@huitema.net>
Autocrypt: addr=huitema@huitema.net; prefer-encrypt=mutual; keydata= mDMEXtavGxYJKwYBBAHaRw8BAQdA1ou9A5MHTP9N3jfsWzlDZ+jPnQkusmc7sfLmWVz1Rmu0 J0NocmlzdGlhbiBIdWl0ZW1hIDxodWl0ZW1hQGh1aXRlbWEubmV0PoiWBBMWCAA+FiEEw3G4 Nwi4QEpAAXUUELAmqKBYtJQFAl7WrxsCGwMFCQlmAYAFCwkIBwIGFQoJCAsCBBYCAwECHgEC F4AACgkQELAmqKBYtJQbMwD/ebj/qnSbthC/5kD5DxZ/Ip0CGJw5QBz/+fJp3R8iAlsBAMjK r2tmyWyJz0CUkVG24WaR5EAJDvgwDv8h22U6QVkAuDgEXtavGxIKKwYBBAGXVQEFAQEHQJoM 6MUAIqpoqdCIiACiEynZf7nlJg2Eu0pXIhbUGONdAwEIB4h+BBgWCAAmFiEEw3G4Nwi4QEpA AXUUELAmqKBYtJQFAl7WrxsCGwwFCQlmAYAACgkQELAmqKBYtJRm2wD7BzeK5gEXSmBcBf0j BYdSaJcXNzx4yPLbP4GnUMAyl2cBAJzcsR4RkwO4dCRqM9CHpVJCwHtbUDJaa55//E0kp+gH
Message-ID: <0d1f90de-a4ec-358d-4f8f-a39dc086fa53@huitema.net>
Date: Wed, 22 Jul 2020 08:10:13 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0
MIME-Version: 1.0
In-Reply-To: <51178433-702e-4185-8c13-b9fe420a6824@www.fastmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Language: en-US
X-Originating-IP: 66.113.196.198
X-Spampanel-Domain: xsmtpout.mail2web.com
X-Spampanel-Username: 66.113.196.198/32
Authentication-Results: antispamcloud.com; auth=pass smtp.auth=66.113.196.198/32@xsmtpout.mail2web.com
X-Spampanel-Outgoing-Class: unsure
X-Spampanel-Outgoing-Evidence: Combined (0.15)
X-Recommended-Action: accept
X-Filter-ID: Mvzo4OR0dZXEDF/gcnlw0bN4ZX/cCaR95pQ7tQtUF1ypSDasLI4SayDByyq9LIhVUZbR67CQ7/vm /hHDJU4RXkTNWdUk1Ol2OGx3IfrIJKywOmJyM1qr8uRnWBrbSAGDXz6Yli32IJdAuJ3ivsC2SsRX qYbtEQV1z/L435ZRxFSKKLskGkEDKwziCNu/Wsfd+rYZvu7UEJiU3s27VgKHO7lwS3dBJTnTxDoD vBGGxph9w6EwXICYy0ePXtGEMhqr40RKF+RjK8XobiMUkDMcvGU6UgOqKJ9sMwhVoOBGSAIboXtx P9OF0EfNs5TqNq2Yhy7LI0kfFnXdPP6btp4oBeJDeKRq5oPj2hFJhLx+qI3HlR3ootg7OlA3N5WN re/oppAGOX5cHTu1yz4pRT/9FGrxEaaKeSxe0Wrx6M4G5/WoLsdfEoJI0BNUQ4KpaNyNCwGqOUcw rXf55E8Tb8bmXq4yH8StrboPphDtmrtUkwkDMc9xayd+oZJo2heFY+g6kVWClPVvbW5lVyQanRxw 5rdY2rW50fd1ekaDpmIWc1Vmt3mnxMTQMQWbvBqEXskTQn6USYs98Imn+lZXe3dwYfgVB1xo6dCf BaU/iegBU8a4JeFQEdnPQhC+43fvoyFcj+o1XtZJSyEqJ39MclYoq+TZgDSAb1Z4salwRktAQ85X dU571qBU/d2sq9m7FB7HA2h448wqCMWfOFVL9x8f92kvZ+pWP1s35neRYWMQUWZErSs0X3oyoTc8 j/o7qulxhYy1GfB9sFAMHjdJmIKByGre/hsBBxzR0ZxLcHZ9dOj+Cd1L7QefbKu1inoEoqdRJx9e VwSFf0QW+jNRsmV9+wEH5tktsnhMr4gG+2qXrJ139iv6oyatL9oYeQB2uMlu9R/2gMGq0KWAzmMf +ibVDpdplkxcBm4XM6d7s4Bx3w1WbaUe4g0kgaInvdEp64qlVpe//bVkg87Xe61e30HXuSERbInM iTBIUBbQ/Dy6Ip4D1rnEhdYtY/lMQX5s39oH5ijcGdSK77ViXbmzTYWgl82XucjoLWQ7++7jcUS/ T5w=
X-Report-Abuse-To: spam@quarantine11.antispamcloud.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/model-t/CaOPb_674mDcVB0OwPoKh7HgmfA>
Subject: Re: [Model-t] draft-thomson-tmi
X-BeenThere: model-t@iab.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussions of changes in Internet deployment patterns and their impact on the Internet threat model <model-t.iab.org>
List-Unsubscribe: <https://www.iab.org/mailman/options/model-t>, <mailto:model-t-request@iab.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/model-t/>
List-Post: <mailto:model-t@iab.org>
List-Help: <mailto:model-t-request@iab.org?subject=help>
List-Subscribe: <https://www.iab.org/mailman/listinfo/model-t>, <mailto:model-t-request@iab.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Jul 2020 15:10:48 -0000

On 7/22/2020 5:35 AM, Martin Thomson wrote:
> On Wed, Jul 22, 2020, at 11:13, Christian Huitema wrote:
>> Now, voice 
>> codec just send at a constant bit rate, independent of the variations 
>> in speech. 
> I don't believe that this is true.  I don't think that countermeasures against these attacks are very widely implemented.  There is definite leakage, particularly for things like IVRs, so that might be worrying.  Of course, my information is a little dated.
>
>> Unless of course there is a clear requirement that devices can be 
>> audited -- and we need regulations for that.
> That seems to be the only real solution here.

Yes. I see the other messages from Colin and Carsten pointing out that
the audio leakage issue is not always fixed in encrypted voice, despite
being well known. I stand corrected and my trust in VoIP services is
notched down one point lower still, but the general point stands. The
general point is that a lot of the device inspection work going on today
amounts to exploiting bugs in the devices. Bugs in the PKI
implementation allow research to conduct MITM attacks and inspect the
traffic, absence of masking traffic or constant length padding allow for
detection of voice activity. There are obviously many bugs in at least
some devices, which can be used in practice for some inspection. But I
don't believe we can rely on that forever. If privacy researchers can
exploit the bugs, so can a variety of hackers. We would rather get the
bugs fixed. But then, we do need a requirement to allow inspection.

My other point is that the most egregious leakage happens in the cloud.
Yes, like Mirja suggests, I would personally not install cloud backed
devices in my house. But that's a trade-off between function and safety,
and today I don't believe we can impose that trade-off to the public at
large. That mean that if there is to be regulation of devices, it has to
address the cloud as well.

-- Christian Huitema

v2.23.0 | Report a Bug | By Email