Re: [Pearg] [saag] Ten years after Snowden (2013 - 2023), is IETF keeping its promises?
Eric Rescorla <ekr@rtfm.com> Thu, 05 January 2023 13:59 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: pearg@ietfa.amsl.com
Delivered-To: pearg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CB50DC1516EA for <pearg@ietfa.amsl.com>; Thu, 5 Jan 2023 05:59:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tL8I4D4V0CWF for <pearg@ietfa.amsl.com>; Thu, 5 Jan 2023 05:59:22 -0800 (PST)
Received: from mail-pg1-x536.google.com (mail-pg1-x536.google.com [IPv6:2607:f8b0:4864:20::536]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DA68AC1516FF for <pearg@irtf.org>; Thu, 5 Jan 2023 05:59:22 -0800 (PST)
Received: by mail-pg1-x536.google.com with SMTP id s67so15244562pgs.3 for <pearg@irtf.org>; Thu, 05 Jan 2023 05:59:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20210112.gappssmtp.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=j7L0h+fRX7J84W6X4nePiNL1HUjp22iWmUUwbkwY2KM=; b=JyxOm4AldX1TMx+MCDY1wsvzqiA2FaEJc7CWintKOuTW5nTjD4nJBdSaFZ1mbyr24o B1csNbC5+xykkNIkTHMvDiCfB1ACbQEkE8J3fZC/4rczm98+q19GBjfvfvbESgK8PH5H cBSVDhOORARmmXp92HbuxSAMzZTIpSzzmDpTjmgqqItBFhL8x6PlGMcl2xkoHZ4DRRMg TOE1Xz6hbm+bHJ+tc/krqA9O5Bb9U+NzbaN8X98ezVXRcVKXfHEajxAnXzG8fRc5KsV2 j1t+C4Dh4rt2XMkHgKhECZR2sQLH750Ldxi4B8L+6Z2ibjO8PY9eagAFMFssJP2yLZtr OEzg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=j7L0h+fRX7J84W6X4nePiNL1HUjp22iWmUUwbkwY2KM=; b=6JF+vi5aVLOjzE0Xp/Pa6cNJCY5EZSu4mrawHlyHYKO15rItxXVdPuqM3mkK3x9Bjs Y5lv+Lr6iK1BI7pRRrCpDH6HDd1JzhUkgt3dMnvDBeo8WNHgndTKhAIzLkgF2BJG7y75 4/G3SpILHQa4N3z0OO9s8vtVYnAntmQCoGLPxfDdBwCVXgUhtTlxV2F1UORnhhMWN14i /bV1HpGWHoh1Id59gQU0fM+PO6R8ZHCeFT/IAU+wm/SNHEt1X2ZrdQoHPQb9g763Kr0f f9xdiRQk1G2xQbzkbD7bqxkonHyICPj9S167SJrAppENprfzrA1gH/5+zJ2o7UtWv2xD 4HQw==
X-Gm-Message-State: AFqh2koj7hiLx0zfR9lnxZ4g+tOvW2QJUNMfLEWzPm2Bs8Oi3kJGWbRC iIwiY8R11DYBZsZVzLcRG+YYUxaorOeSUAXYzQul9Q==
X-Google-Smtp-Source: AMrXdXsKlLMXrU8x7TpHFJ1uC3qEODUTxrDK+SoB4sS4HWTanAgZIyaI29ltkSFQHmgyF3EUvsqCxrqUENi9VWfk/JI=
X-Received: by 2002:aa7:9f85:0:b0:581:96f4:d1da with SMTP id z5-20020aa79f85000000b0058196f4d1damr2099165pfr.84.1672927161971; Thu, 05 Jan 2023 05:59:21 -0800 (PST)
MIME-Version: 1.0
References: <HE1PR0701MB305098F652DBC34E3C40810B89F49@HE1PR0701MB3050.eurprd07.prod.outlook.com> <764163366.39904.1672842828297@appsuite-gw2.open-xchange.com> <CABcZeBNA_nJ2waQVENUvEXro91wAYOcH0ZxWqbLH4hoKcGkosw@mail.gmail.com> <9658281.42904.1672912808774@appsuite-gw2.open-xchange.com> <CA+9kkMBLiijcAyLYn_6h8z3N00EDaxdP=f7P2-qUt4Bn1iSWEg@mail.gmail.com> <HE1PR0701MB30505DC24A725E014D60FE0189FA9@HE1PR0701MB3050.eurprd07.prod.outlook.com>
In-Reply-To: <HE1PR0701MB30505DC24A725E014D60FE0189FA9@HE1PR0701MB3050.eurprd07.prod.outlook.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 05 Jan 2023 05:58:45 -0800
Message-ID: <CABcZeBPc0r275AiCL=qWTnzFT9PoQ9WMHz+GcmQZG8pgv2dmbw@mail.gmail.com>
To: John Mattsson <john.mattsson@ericsson.com>
Cc: Ted Hardie <ted.ietf@gmail.com>, Vittorio Bertola <vittorio.bertola@open-xchange.com>, "ietf@ietf.org" <ietf@ietf.org>, "hrpc@irtf.org" <hrpc@irtf.org>, "pearg@irtf.org" <pearg@irtf.org>, saag <saag@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000039938005f184b553"
Archived-At: <https://mailarchive.ietf.org/arch/msg/pearg/9a2QjZYNNWiQwtjnXEoS6Fzm1ow>
Subject: Re: [Pearg] [saag] Ten years after Snowden (2013 - 2023), is IETF keeping its promises?
X-BeenThere: pearg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Privacy Enhancements and Assessment Proposed RG <pearg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/pearg>, <mailto:pearg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pearg/>
List-Post: <mailto:pearg@irtf.org>
List-Help: <mailto:pearg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/pearg>, <mailto:pearg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Jan 2023 13:59:23 -0000
Hi John, Thanks for raising this topic. I would make a few points here. 1. I've heard the term "zero trust" used in a number of ways, ranging from "use a network architecture that doesn't involve firewalls" to "blockchain". So I'm not sure that talking about "today's zero trust principles" is going to get us very far. 2. I agree that there are very significant threats to people's security and privacy at the endpoints, from a number of sources, including (1) software that was installed for users without their consent (2) software that they intended to install and does not behave the way that they expect and (3) direct attack on the software on their machines. 3. Essentially none of these threats are the province of the IETF, which defines networking protocols. We are not well positioned to either (1) improve the security of those endpoints or (2) address situations in which the software on the endpoint is directly attacking the user's privacy, e.g., by leaking their browsing behavior within an app. 4. I agree that there are some modifications to those protocols (you raise PFS above, and also in some cases PCS, but perhaps even moreso, the use of replayable identifiers such as passwords and cookies) that would somewhat improve the resistance of those protocols to attack on the endpoints. In my experience, the IETF does take these forms of attack reasonably seriously. 5. The oft-cited RFC 3552 language about assuming the endpoints doesn't reflect a lack of awareness that endpoints can be compromised; we were well aware of such attacks at the time we wrote 3552. Rather, it's about the separation of concerns and having the protocol pieces do what they are able to do: The Internet environment has a fairly well understood threat model. In general, we assume that the end-systems engaging in a protocol exchange have not themselves been compromised. Protecting against an attack when one of the end-systems has been compromised is extraordinarily difficult. It is, however, possible to design protocols which minimize the extent of the damage done under these circumstances. As you can see, this text explicitly acknowledges the possibility of endpoint compromise and considers that it is possible to partly mitigate it, as I said above. I think we should continue to ask the question of whether we could do better in this area, as you do above, but I think that the most appropriate way for the IETF (as opposed to other organizations, such as, say TC39 or Bytecode Alliance) to do this is to focus on improving our protocols. -Ekr On Thu, Jan 5, 2023 at 3:13 AM John Mattsson <john.mattsson@ericsson.com> wrote: > Agree that there is not a single threat, and I don’t think it is so > important to determine which one of the threats that are the biggest. The > last 10 years IETF has been quite good at securing transit (which is great > and something we should celebrate) while at the same time mostly ignoring > endpoint threats. As Vittorio writes, this poses a risk to damage IETF’s > reputation. Assuming that endpoints are not compromised, not malicious, and > that the interests align with the interests of the end-users feels quite > outdated with today’s zero trust principles. > > Cheers, > John > > *From: *Ted Hardie <ted.ietf@gmail.com> > *Date: *Thursday, 5 January 2023 at 11:36 > *To: *Vittorio Bertola <vittorio.bertola@open-xchange.com> > *Cc: *Eric Rescorla <ekr@rtfm.com>, John Mattsson < > john.mattsson@ericsson.com>, ietf@ietf.org <ietf@ietf.org>, hrpc@irtf.org > <hrpc@irtf.org>, pearg@irtf.org <pearg@irtf.org>, saag <saag@ietf.org> > *Subject: *Re: [Pearg] [saag] Ten years after Snowden (2013 - 2023), is > IETF keeping its promises? > > A quick response in-line. > > > > On Thu, Jan 5, 2023 at 10:00 AM Vittorio Bertola <vittorio.bertola= > 40open-xchange.com@dmarc.ietf.org> wrote: > > > > Il 04/01/2023 20:33 CET Eric Rescorla <ekr@rtfm.com> ha scritto: > > > > I still think this was a big fail; in fact, this implies that > counteraction against surveillance capitalism practices can only happen > elsewhere, at the regulatory level, as the IETF community either does not > know what to do about it, or does not want to do anything about it. > > > > I don't think this is true at all. > > > > First, the IETF *is* working on issues around privacy and preventing > various forms of surveillance capitalism. That's in part what initiatives > like DoH, QUIC, TLS 1.3, ECH, OHAI, MASQUE etc. are about. > > Of course you will disagree with what I am going to say, but here is the > common (though not unanimous) viewpoint from the technical policy community > of a different part of the world - no offense implied. > > > > In Europe, "surveillance capitalism" is basically synonymous with a set of > a few very big American companies that happen to be the ones promoting and > deploying the standards you mention. > > > > First, I'm not sure that it is reasonable to assume that there is a single > European position on anything. Brussels is not Lisbon and neither is Oslo > or Budapest. And within each of those, academics, regulators, and civil > society may have different opinions. As in the US, there are folks > cheering for DoH and people opposed; there are people delighted with OHAI > and folks depressed about it. > > > > Second, I think we have to be careful to talk as if there is a single > threat model here. At least one of the threat models is truly about > pervasive surveillance, which reflects an updated understanding that an > attacker may be omnipresent across the network and thus able to correlate > activities that a sender or receiver previously assumed could not be > linked. That's what RFC 7624, Section 5 described. Many of the key > characteristics of protocols like QUIC were designed with this threat model > in mind; they provide increased confidentiality on the wire. Because that > threat model is focused on observation, rather than the capabilities of the > parties, it has little to do with concerns that a small set of players is a > party to many different sorts of communications. That's a different > threat, and some of the work to address it, like OHAI, starts from very > different principles as a result. > > > > Both amongst ourselves and when talking to those working in policy > circles, I think it is very important to be clear on what threat we > perceive and what responses target that. Lumping all the threats and all > the responses together makes it difficult to see the progress that has been > achieved and even more difficult to identify where work still needs to be > done. > > > > Just my personal opinion, of course, > > > > regards, > > > > Ted Hardie > > > > So, it will be hard to convince people in Brussels or Berlin that those > standards are meant to put the business model of their proponents under > check. Actually, they are more likely to lead to the conclusion that the > IETF is being used as an instrument to further that business model, and > that the encrypted network architecture that it is promoting is meant to > disempower end-users and any other party (including European law > enforcement and privacy authorities) from checking what the endpoints do, > which information they send and who they send it to, facilitating > uncontrolled data extraction practices by the private companies that mostly > control the endpoints, i.e. the above ones. > > > > There is a general feeling that the bigger threats to user privacy are now > not in transit, but in or before the endpoints. So, the fact that the IETF > does not want to consider threats in the endpoints is seen as additional > evidence for the above. > > > > -- > > Vittorio Bertola | Head of Policy & Innovation, Open-Xchange > vittorio.bertola@open-xchange.com > Office @ Via Treviso 12, 10144 Torino, Italy > >
- [Pearg] Ten years after Snowden (2013 - 2023), is… John Mattsson
- Re: [Pearg] Ten years after Snowden (2013 - 2023)… Christopher Wood
- Re: [Pearg] Ten years after Snowden (2013 - 2023)… Brian E Carpenter
- Re: [Pearg] Ten years after Snowden (2013 - 2023)… Phillip Hallam-Baker
- Re: [Pearg] Ten years after Snowden (2013 - 2023)… Christian Huitema
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Dino Farinacci
- Re: [Pearg] Ten years after Snowden (2013 - 2023)… Dave Taht
- Re: [Pearg] [hrpc] Ten years after Snowden (2013 … Adrian Gropper
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Stewart Bryant
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Eliot Lear
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Antoine FRESSANCOURT
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Lloyd W
- Re: [Pearg] [saag] Ten years after Snowden (2013 … George Michaelson
- Re: [Pearg] [hrpc] Ten years after Snowden (2013 … Niels ten Oever
- Re: [Pearg] Ten years after Snowden (2013 - 2023)… Vittorio Bertola
- Re: [Pearg] Ten years after Snowden (2013 - 2023)… Dave Taht
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Phillip Hallam-Baker
- Re: [Pearg] Ten years after Snowden (2013 - 2023)… John Mattsson
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Stewart Bryant
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Eric Rescorla
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Christian Huitema
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Dino Farinacci
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Dino Farinacci
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Dino Farinacci
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Eliot Lear
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Brian E Carpenter
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Phillip Hallam-Baker
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Tony Rutkowski
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Vittorio Bertola
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Ted Hardie
- Re: [Pearg] [saag] Ten years after Snowden (2013 … John Mattsson
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Tony Rutkowski
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Brad Chen
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Kyle Rose
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Antoine FRESSANCOURT
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Eric Rescorla
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Brad Chen
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Tony Rutkowski
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Alan DeKok
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Tony Rutkowski
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Phillip Hallam-Baker
- Re: [Pearg] [EXT] Re: [saag] Ten years after Snow… Vittorio Bertola
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Alan DeKok
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Dave Taht
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Tony Rutkowski
- Re: [Pearg] [hrpc] Ten years after Snowden (2013 … Stephen Farrell
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Dino Farinacci
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Deen, Glenn (NBCUniversal)
- Re: [Pearg] [hrpc] [saag] Ten years after Snowden… bzs
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Phillip Hallam-Baker
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Dino Farinacci
- Re: [Pearg] [hrpc] [saag] Ten years after Snowden… Laurence Lundblade
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Mark Nottingham
- Re: [Pearg] [hrpc] [saag] Ten years after Snowden… Abdussalam Baryun
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Brad Chen
- Re: [Pearg] [hrpc] [saag] Ten years after Snowden… Laurence Lundblade
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Phillip Hallam-Baker
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Phillip Hallam-Baker
- Re: [Pearg] [hrpc] [saag] Ten years after Snowden… Adrian Gropper
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Dino Farinacci
- Re: [Pearg] [saag] [hrpc] Ten years after Snowden… Tony Rutkowski
- [Pearg] times square 15 sec delay new years Dave Taht
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Dan Harkins
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Vittorio Bertola
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Alec Muffett
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Tony Rutkowski
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Alec Muffett
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Mark Nottingham
- Re: [Pearg] [hrpc] [saag] Ten years after Snowden… Vittorio Bertola
- Re: [Pearg] [hrpc] [saag] Ten years after Snowden… Ted Lemon
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Phillip Hallam-Baker
- Re: [Pearg] [hrpc] [saag] Ten years after Snowden… Phillip Hallam-Baker
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Tony Rutkowski
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Phillip Hallam-Baker
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Tony Rutkowski
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Lloyd W
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Phillip Hallam-Baker
- Re: [Pearg] Ten years after Snowden (2013 - 2023)… Fernando Gont
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Fernando Gont
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Luigi Iannone
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Christian Huitema