Re: [perpass] A reminder, the Network is the Enemy...

Ted Lemon <> Thu, 21 November 2013 04:10 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id E4E381AE0A1 for <>; Wed, 20 Nov 2013 20:10:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.426
X-Spam-Status: No, score=-2.426 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.525, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id z7XDeio6cVdz for <>; Wed, 20 Nov 2013 20:10:55 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id E00E31AE094 for <>; Wed, 20 Nov 2013 20:10:55 -0800 (PST)
Received: from [] ( []) by (Postfix) with ESMTPSA id 1D95F2380CB4; Wed, 20 Nov 2013 23:10:46 -0500 (EST)
Content-Type: text/plain; charset=iso-8859-1
Mime-Version: 1.0 (Mac OS X Mail 7.0 \(1822\))
From: Ted Lemon <>
In-Reply-To: <>
Date: Wed, 20 Nov 2013 23:10:44 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <> <> <>
To: Bjoern Hoehrmann <>
X-Mailer: Apple Mail (2.1822)
Cc: perpass <>, Nicholas Weaver <>
Subject: Re: [perpass] A reminder, the Network is the Enemy...
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "The perpass list is for IETF discussion of pervasive monitoring. " <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 21 Nov 2013 04:10:58 -0000

Bjoern, please don't take my reassertion of the problem I wanted to talk about as an indication that I consider the problem you want to talk about unimportant.   I agree that online ads present an attack surface, and that we should think about that.   I'm quite aware that my computer is running programs at the behest of ad networks (well, actually it's not, because I don't allow Flash in my web browser, but I certainly agree with you in principle).

The point of what I said previously was to talk about another attack surface with different characteristics.   The problem you are describing is one that's already on the radar of most of us tin-foil-hat wearers.   I just wanted to get an additional problem which is similar but really meaningfully different on the radar as well.

What's interesting about the http-with-identifying-info attack is that it can be easily prevented by not including identifying info or by using https.   Unfortunately the targeted-ad attack can't be addressed in this way, but that doesn't mean that the http-with-identifying-info attack isn't worth addressing.