Re: [perpass] Traffic analysis
"Richard Shockey" <richard@shockey.us> Tue, 29 October 2013 21:44 UTC
Return-Path: <richard@shockey.us>
X-Original-To: perpass@ietfa.amsl.com
Delivered-To: perpass@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8390511E829E for <perpass@ietfa.amsl.com>; Tue, 29 Oct 2013 14:44:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.419
X-Spam-Level:
X-Spam-Status: No, score=-101.419 tagged_above=-999 required=5 tests=[AWL=-0.309, BAYES_05=-1.11, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EyxB+OCxVVgV for <perpass@ietfa.amsl.com>; Tue, 29 Oct 2013 14:44:23 -0700 (PDT)
Received: from outbound-ss-1429.hostmonster.com (outbound-ss-1429.hostmonster.com [74.220.221.129]) by ietfa.amsl.com (Postfix) with SMTP id BAB0021E80A8 for <perpass@ietf.org>; Tue, 29 Oct 2013 14:44:17 -0700 (PDT)
Received: (qmail 21175 invoked by uid 0); 29 Oct 2013 21:43:48 -0000
Received: from unknown (HELO box462.bluehost.com) (74.220.219.62) by oproxy9.mail.unifiedlayer.com with SMTP; 29 Oct 2013 21:43:48 -0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=shockey.us; s=default; h=Content-Transfer-Encoding:Content-Type:MIME-Version:Message-ID:Date:Subject:In-Reply-To:References:Cc:To:From; bh=banp90yfaDwCZ+SUeDfO1j0DSmf/Vdi0ChHXVY9jxXI=; b=QADgDYXylPHod9Tv5JbIjHu/WGyMeLA5FX2IGGebUFHUciz2WdWy8UwXmIRxieGD1keN0opqv1k2+R7E+QdoYflzfMbWLXngr9fcGR0FRxJDXtEd+xXENpVEKTco3+Y3;
Received: from [71.114.100.16] (port=58313 helo=RSHOCKEYPC) by box462.bluehost.com with esmtpa (Exim 4.80) (envelope-from <richard@shockey.us>) id 1VbH4m-0007Se-8x; Tue, 29 Oct 2013 15:43:48 -0600
From: Richard Shockey <richard@shockey.us>
To: ned+perpass@mrochek.com, 'Joe St Sauver' <joe@oregon.uoregon.edu>
References: <13102810494583_8A24@oregon.uoregon.edu> <01P04ABSOR0E00004R@mauve.mrochek.com>
In-Reply-To: <01P04ABSOR0E00004R@mauve.mrochek.com>
Date: Tue, 29 Oct 2013 17:43:47 -0400
Message-ID: <01e901ced4ef$f3615e80$da241b80$@shockey.us>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AQJbINlGk4dbslrbCasP2HTDqkp5+gE2ialimOnkLJA=
Content-Language: en-us
X-Identified-User: {3286:box462.bluehost.com:shockeyu:shockey.us} {sentby:smtp auth 71.114.100.16 authed with richard@shockey.us}
Cc: perpass@ietf.org, huitema@huitema.net, stephen.farrell@cs.tcd.ie
Subject: Re: [perpass] Traffic analysis
X-BeenThere: perpass@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "The perpass list is for discussion of the privacy properties of IETF protocols and concrete ways in which those could be improved. " <perpass.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/perpass>, <mailto:perpass-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/perpass>
List-Post: <mailto:perpass@ietf.org>
List-Help: <mailto:perpass-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/perpass>, <mailto:perpass-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Oct 2013 21:44:30 -0000
Ned makes a number of excellent points here and the real elephant in the room is under what terms and conditions is the ongoing collection of metadata about IP communications in any form actually needed and in fact absolutely necessary. There are perfectly good reasons to collect this stuff. Though the ongoing concern of this list is clearly the Snowden revelations some of us actually want that data to prevent and investigate real and legitimate fraud and abuse within the communications systems, optimize network transport etc. First if you take a little stroll over to the IETF STIR problem statement you will see that fraudulent voice communications is becoming a huge problem for National Regulators and Law Enforcement. In the US the failure of Rural Calls to certain areas now requires the US carriers to maintain ever larger CDR records in order to preserve the integrity of the PSTN itself. http://www.fcc.gov/document/fcc-acts-combat-call-completion-problems-rural-a merica Consumers are totally outraged by the violations of THEIR PRIVACY... the right to be left alone... by malicious Robo Callers who ignore the various Laws about Do Not Call lists etc. E-Mail spam has not gone away by any account but the need for logs and records to attempt to track criminal activity is still required. We want to hunt these people down and shut down their operations. The issue is appropriate safeguards on those records and there is essentially nothing the IETF can do about that. It is useful to talk about strengthening key length and understanding to underlying archectural reasons no one really wants to deploy secure communications. I totally agree with this statement. " I think there are small technical changes around the edges that can help, but I really see the solutions for the metadata problem as more political and social than technical. Concentrating on making encryption really, really easy to use would go a lot further at this time than messing with deep changes, because people are not even using what is already available." Though I would not have used Tony's precise language on a public mail. I'm afraid I agree with the underlying sentiment. There are more than one joke running around Washington DC about actually wanting the NSA to keep the CDR records if they would actually use them to stop robo calls and call spoofing. -----Original Message----- From: perpass-bounces@ietf.org [mailto:perpass-bounces@ietf.org] On Behalf Of ned+perpass@mrochek.com Sent: Monday, October 28, 2013 2:30 PM To: Joe St Sauver Cc: perpass@ietf.org; huitema@huitema.net; stephen.farrell@cs.tcd.ie Subject: Re: [perpass] Traffic analysis > Hi, > Stephen Farrell <stephen.farrell@cs.tcd.ie>: > #Not quite sure, but I think we might get some benefit at the #moment > from considering how specific fields in real protocols #undermine > privacy (e.g. as Christian's draft does with the #Received header > fields in mail messages) even if/when TLS or #other existing security > mechanisms are properly used. > My concern is that many traffic analytic approaches tend to be > exceedingly robust to "protocol improvements." Protocol tweaks may > accomplish little when it comes to practically improving privacy if > the underlying protocol's architecture and operational practice goes > unchanged. > For example, when it comes to email, shouldn't section 6 of > http://huitema.net/papers/draft-huitema-perpass-analthreat-00.txt > basically say, "if you want to avoid traffic analytic approaches in > the case of email, deploy and use Mixmaster anonymous remailers"? > ( > https://en.wikipedia.org/wiki/Anonymous_remailers#Untraceable_remailer > s ) And good luck with that, at least on any kind of scale. But your underlying point is very well taken: The section on email in this draft focuses on irrelevancies and fails to take note of the real issues. I hate to sound like a broken record, but folks really need to have some familiarity with present-day email as it is actually deployed before making these sorts of asssessments. Again, present day email usage is increasingly concentrated to a fairly small number of large ISPs and MSPs. (Small ISPs and enterprise setups are shifting to using cloud services, and while the Snowden revelations may have slowed this trend, they haven't stopped it.) In regards to traffic analysis, this is in some ways a good thing. If the connections from user clients to the ISP/MSP servers are secured at the transport layer - and I have demonstrated that a lot of them are - then we gain a lot by securing the streams between the large providers at the transport level. But the elephant in the corner is logging. Service providers maintain very extensive logs of email traffic, if for no other reason than as a support tool. These logs provide every possible detail needed for traffic analysis. Of course one of the earliest Snowden revelations was that the NSA is collecting these logs from US providers on a massive scale. And hopefully everyone is aware of Smith v. Maryland, which essentialls says that metadata is not constitutionally protected. But before Eupopeans and others get all smug about this, speaking as someone who has seen quite a few RFPs for mail systems, the only substantive difference I see between the US and elsewhere is the US approaches this in a less organized and systematic way and generally has fewer auditing and data protection requirements. The data is still being collected, and most likely shareed. And as for practical and deployable measures that can be undertaken to address this, I'm at something of a loss to suggest anything. Shifting back to a more decentralized model sounds nice, but seems a bit outside the purview of a standards process to try and make that happen. And even if it a completely decentralized model was practical, in a peer-to-peer world the metadata that would accrue from watching the connections themselves would be a fair substitute. As for mixed models, look at what happened to Lavabit. > And if we *are* talking about that sort of approach, then I think > inevitably we also need to talk about how we simultaneously manage to > allow *wanted* private traffic while simultaneously preventing or > managing *unwanted traffic* (e.g., spam). Yep. It's a daunting problem. And it is far from the only one. > An awful lot of current anti-spam technology depends upon either > reputation (which is obviously not present in the case of > anonymous/non-attributable traffic), or content analysis (which is > also obviously problematic, at least if we presume use of end-to-end > encryption (at least until the content is decrypted on the end-user's > device)). You basically have to push the content checks to the client. This has not proven to be a terrific solution in practice. > I also think that if you're serious about email privacy, you really > can't keep the discussion just at the level of sanitizing headers. You > need to get into the format of the content that's allowed as well. For > example, it's well known that non-plain text email content (e.g., > HTML-formatted email) is potentially a serious threat to privacy due > to potential use of things like tracking gifs included in > HTML-formatted email. I think we can do a lot to make it harder to snoop on email content, although ironically what we're likely to be able to accomplish under the "prism-proof" rubric is unlikely to much of anything about the data collection the actual Prism program performs. But traffic analysis... unless the fact that those logs are likely to only be accessible to state entities offers some consolation, I don't think there's going to be much happiness here. Ned _______________________________________________ perpass mailing list perpass@ietf.org https://www.ietf.org/mailman/listinfo/perpass
- Re: [perpass] Traffic analysis Brian Trammell
- Re: [perpass] Traffic analysis Brian E Carpenter
- [perpass] Traffic analysis Christian Huitema
- Re: [perpass] Traffic analysis d.nix
- Re: [perpass] Traffic analysis Christian Huitema
- Re: [perpass] Traffic analysis Christian Huitema
- [perpass] Traffic analysis Christian Huitema
- Re: [perpass] Traffic analysis Stephen Farrell
- Re: [perpass] Traffic analysis Ben Laurie
- Re: [perpass] Traffic analysis Stephen Farrell
- [perpass] Perpassturbating metrics Tony Rutkowski
- Re: [perpass] Traffic analysis Joe St Sauver
- Re: [perpass] Traffic analysis Stephen Farrell
- Re: [perpass] Traffic analysis Joe St Sauver
- Re: [perpass] Traffic analysis Stephen Farrell
- Re: [perpass] Traffic analysis Mike Demmers
- Re: [perpass] Traffic analysis ned+perpass
- Re: [perpass] Traffic analysis d.nix
- Re: [perpass] Traffic analysis Stephen Farrell
- Re: [perpass] Traffic analysis Tony Rutkowski
- Re: [perpass] Traffic analysis Eric Burger
- Re: [perpass] Perpassturbating metrics Dave Crocker
- Re: [perpass] Perpassturbating metrics Tony Rutkowski
- Re: [perpass] Perpassturbating metrics Dave Crocker
- Re: [perpass] Perpassturbating metrics Alissa Cooper
- Re: [perpass] Perpassturbating metrics Peter Saint-Andre
- Re: [perpass] Perpassturbating metrics Brian Trammell
- Re: [perpass] Traffic analysis Richard Shockey
- Re: [perpass] Traffic analysis Stephen Farrell
- Re: [perpass] Traffic analysis Douglas Otis
- Re: [perpass] Traffic analysis Tony Rutkowski
- Re: [perpass] Traffic analysis Richard Shockey
- Re: [perpass] Traffic analysis Eliot Lear
- Re: [perpass] Traffic analysis Joe St Sauver
- Re: [perpass] Traffic analysis Eliot Lear
- Re: [perpass] Traffic analysis Tony Rutkowski
- Re: [perpass] Traffic analysis Hannes Tschofenig
- Re: [perpass] Traffic analysis Tony Rutkowski
- Re: [perpass] Traffic analysis Scott Brim
- Re: [perpass] Traffic analysis Tony Rutkowski
- Re: [perpass] Traffic analysis Dave Crocker
- Re: [perpass] Traffic analysis d.nix
- Re: [perpass] Traffic analysis Tony Rutkowski
- Re: [perpass] Traffic analysis Scott Brim
- Re: [perpass] Traffic analysis Tony Rutkowski