IETF Logo Mail Archive

Re: A question about user tracking with QUIC

Lucas Pardue <lucaspardue.24.7@gmail.com> Mon, 07 June 2021 21:22 UTC

Return-Path: <lucaspardue.24.7@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CCE3B3A11B8 for <quic@ietfa.amsl.com>; Mon, 7 Jun 2021 14:22:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.847
X-Spam-Level:
X-Spam-Status: No, score=-1.847 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 823oHkv5hDOW for <quic@ietfa.amsl.com>; Mon, 7 Jun 2021 14:22:13 -0700 (PDT)
Received: from mail-ed1-x536.google.com (mail-ed1-x536.google.com [IPv6:2a00:1450:4864:20::536]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C92B13A11B0 for <quic@ietf.org>; Mon, 7 Jun 2021 14:22:12 -0700 (PDT)
Received: by mail-ed1-x536.google.com with SMTP id r11so22041046edt.13 for <quic@ietf.org>; Mon, 07 Jun 2021 14:22:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=2LFHA6nLg0aNJG/f04f1GETZJ5m8a1N+bRTz6+d58Cs=; b=TNuWBhi18CXHlD2wYMP5kJeDpjQXCTeYEQ6eCvE9z0DCoTgI5rIsg0y8J35GWe04EF +OYcBmRI+XXu2G1Y3CD39hcfUUHwdNvFfa5ZYypf8CHNsTCSPLvGxWF250Ur2fCuyDBU jiIZxVXnFIo5VsHF8Od7lT0JoE/7BwfYpOIrBY0xiE7quSQJCfqAso75trVt7OcRjKrd J1GHlZdUMzPLV3Hoqw1sOcORSYboLaAbrQirSE+PBtAvETAcxbBmmvYmPGBXHmRlwPq4 jrfXWJlFPAi2HUAKREMp8JYdtG+oWS3Av7uFce11npP4DYWyweu8RfC8q2TslLLtUmlZ bOVA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=2LFHA6nLg0aNJG/f04f1GETZJ5m8a1N+bRTz6+d58Cs=; b=e1femAaxdo1V/ezmiY7fUOFQtOnvo4BxLakLvradA8pJA/Ds7yMIDoPj+NyGpyMV9/ mr0TFfzMik0F8rWb8mgyuQ2UXbKc2v5i9f1ZslpWs9C4WV/08T7EIC64Kr+Y4HWfoZ2g SSc/oSiX2Md/btlcRJkFcXquJcLCM4q8GSvtMH/pmoYyq7bPUdi7HV4a+NpYLgCC7EO4 pItJZI/W18COkYZDdRJKHbzkYJ1YpxwgBBm5tLHTMEY/Y8bLtzEGw2vzdbLWry78aV0W Lgvp/L8rOaDQUj65SaxTYitAwXnlLFqeAHHSqppv0Mf9DjqbFPjDFHkCEUGIe6/dIO8Y Lf/A==
X-Gm-Message-State: AOAM532sFbVYGno8PO8P9sXoCNGgIBXlVwTZJnM5VrecPPua4ZM705Qh 95F/UMqHLusQbliqUVCUWDG6q4ugRBUaOv159xU=
X-Google-Smtp-Source: ABdhPJyEDL/Twz1PNADCguNsSkcj2ojoywmRGuwu6aS8dnaVkNG7NhqfWiVdGO9bm1zPyreQiKd/e5dmnHoHytuWuKg=
X-Received: by 2002:a50:ff0a:: with SMTP id a10mr22071974edu.273.1623100928862; Mon, 07 Jun 2021 14:22:08 -0700 (PDT)
MIME-Version: 1.0
References: <20210607123854.GA16312@nic.fr> <CAC7UV9bkqOeCgDsCH+Hdq0v=zmRKNNDtpfiq6Ap_vzm5zUzGVg@mail.gmail.com> <CALGR9oZiUe5TyY3Tv432__GH=v+Lpv2EZah0G4ZD+g3E2FkaMg@mail.gmail.com> <20210607130422.GA27971@sources.org> <EE723B6D-7B6B-4B68-A4A1-F1809CF68F1B@gmail.com> <20210607142015.GA31240@sources.org> <C1B56269-0EF7-42EC-8824-70F7485807B2@gmail.com> <20210607190027.GC5394@sources.org> <7CE3F7FC-21C1-4519-AA60-A2FDFFC512EE@gbiv.com>
In-Reply-To: <7CE3F7FC-21C1-4519-AA60-A2FDFFC512EE@gbiv.com>
From: Lucas Pardue <lucaspardue.24.7@gmail.com>
Date: Mon, 07 Jun 2021 22:21:57 +0100
Message-ID: <CALGR9oZFbUnZyRnL-TPvMac25cjp9WTReTAHWLGi+eO3_T7aww@mail.gmail.com>
Subject: Re: A question about user tracking with QUIC
To: "Roy T. Fielding" <fielding@gbiv.com>
Cc: Stephane Bortzmeyer <bortzmeyer@nic.fr>, IETF QUIC WG <quic@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000004cacec05c433a2f3"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/5g-LZnhYacqo7Ef986u4RQuHYKI>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Jun 2021 21:22:18 -0000

Hi,

Speaking as an individual.

Through the lens of server-side observation and linking of clients, I think
Christian makes astute observations on some common concerns and
QUIC-specific ones. Roy too makes some great additional observations about
the context of discussion.

It seems to me this topic might well do with some time to draw out the
considerations for documentation. However, the applicability draft is
already through a second round of WGLC, and that timeline seems too tight
for inclusion of such considerations. I would seem to me that the PEARG
(Privacy Enhancements and Assessments Research Group) [1] is ideally suited
towards housing effort on deeper/broader analysis of privacy aspects of
protocol evolution (I might even stick a note in for multipath TCP as
something that moves the needle on privacy of "legacy" application
protcols).

Cheers,
Lucas

[1] - https://datatracker.ietf.org/rg/pearg/about/

On Mon, Jun 7, 2021 at 8:43 PM Roy T. Fielding <fielding@gbiv.com> wrote:

> On Jun 7, 2021, at 12:00 PM, Stephane Bortzmeyer <bortzmeyer@nic.fr>
> wrote:
> >
> > Any specific reference to such a discussion about privacy "against"
> > the server? I did not find any.
>
> There have been many discussions about session establishment and
> reestablishment.  Too many to note. However, "user tracking" is not the
> term used when the same server remembers interactions with a single user.
> That's more typically referred to as analytics or sessions, not tracking.
>
> There is a relevant concern about multisite tracking on servers that
> present a certificate for multiple origins, but that applies to both H2
> and H3
> and only if the browser chooses to reuse the same session layer across
> multiple sites. Regardless, this is nothing compared to a browser's
> inherent
> tracking features that any origin server is capable of directing for the
> sake of tracking at the HTML/JS layer.
>
> There was a conscious decision, early on, that QUIC would not attempt to
> provide the same features as Tor (or any other sort of privacy broker).
> It is simply impossible for a protocol to do a better job at that without
> centralizing everything by default, which would then be a far greater
> danger
> to users than individual origin sessions. Using QUIC to communicate with
> a user-selected, private intermediary (like Tor) would be much better, I
> think,
> than trying to do the same with H1/TLS or H2/TLS. Or at least it will be
> once
> there is a large number of users using the same protocols.
>
> > (And having important discussions on a Microsoft platform not
> > controlled by the IETF is a bad idea, anyway, but I digress.)
>
> The IETF does not have the resources to provide a comparable issue tracking
> system, let alone one that manages PRs and version control for authors,
> while
> providing extensive search capabilities at the same time. It's a tool.
>
> ....Roy
>
>

v2.31.3 | Report a Bug | By Email | System Status