Re: A question about user tracking with QUIC
Christian Huitema <huitema@huitema.net> Tue, 08 June 2021 05:09 UTC
Return-Path: <huitema@huitema.net>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC48F3A2190 for <quic@ietfa.amsl.com>; Mon, 7 Jun 2021 22:09:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.889
X-Spam-Level:
X-Spam-Status: No, score=-1.889 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, T_SPF_PERMERROR=0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wHRnf9yRE77c for <quic@ietfa.amsl.com>; Mon, 7 Jun 2021 22:09:14 -0700 (PDT)
Received: from mx36-out20.antispamcloud.com (mx36-out20.antispamcloud.com [209.126.121.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5A7E63A218E for <quic@ietf.org>; Mon, 7 Jun 2021 22:09:14 -0700 (PDT)
Received: from xse238.mail2web.com ([66.113.196.238] helo=xse.mail2web.com) by mx133.antispamcloud.com with esmtp (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1lqTzC-000ZSj-0j for quic@ietf.org; Tue, 08 Jun 2021 07:09:11 +0200
Received: from xsmtp22.mail2web.com (unknown [10.100.68.61]) by xse.mail2web.com (Postfix) with ESMTPS id 4FzdZB6Bb0z1Y0J for <quic@ietf.org>; Mon, 7 Jun 2021 22:09:06 -0700 (PDT)
Received: from [10.5.2.14] (helo=xmail04.myhosting.com) by xsmtp22.mail2web.com with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1lqTz8-0005HX-Ng for quic@ietf.org; Mon, 07 Jun 2021 22:09:06 -0700
Received: (qmail 9555 invoked from network); 8 Jun 2021 05:09:06 -0000
Received: from unknown (HELO [192.168.1.103]) (Authenticated-user:_huitema@huitema.net@[172.58.43.69]) (envelope-sender <huitema@huitema.net>) by xmail04.myhosting.com (qmail-ldap-1.03) with ESMTPA for <bortzmeyer@nic.fr>; 8 Jun 2021 05:09:06 -0000
To: Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com>, Lucas Pardue <lucaspardue.24.7@gmail.com>
Cc: "Roy T. Fielding" <fielding@gbiv.com>, IETF QUIC WG <quic@ietf.org>, Stephane Bortzmeyer <bortzmeyer@nic.fr>
References: <20210607123854.GA16312@nic.fr> <CAC7UV9bkqOeCgDsCH+Hdq0v=zmRKNNDtpfiq6Ap_vzm5zUzGVg@mail.gmail.com> <CALGR9oZiUe5TyY3Tv432__GH=v+Lpv2EZah0G4ZD+g3E2FkaMg@mail.gmail.com> <20210607130422.GA27971@sources.org> <EE723B6D-7B6B-4B68-A4A1-F1809CF68F1B@gmail.com> <20210607142015.GA31240@sources.org> <C1B56269-0EF7-42EC-8824-70F7485807B2@gmail.com> <20210607190027.GC5394@sources.org> <7CE3F7FC-21C1-4519-AA60-A2FDFFC512EE@gbiv.com> <CALGR9oZFbUnZyRnL-TPvMac25cjp9WTReTAHWLGi+eO3_T7aww@mail.gmail.com> <CAKKJt-eLegqkLw8dJzPwpV97wsdw3BXh7M-=P2BoYC=B04pwSA@mail.gmail.com> <8d9bfd40-59c5-286b-f2b6-64d4e552c69e@huitema.net> <CALGR9oYZUxLmKHt9fxP6Bj11CMiPRfwVr_5Qb-uhnV+moapyrA@mail.gmail.com> <CAKKJt-dN_TiArH+N2ufpDwq+YwF93Q9ko+j38==rDeVje3gLZw@mail.gmail.com>
From: Christian Huitema <huitema@huitema.net>
Subject: Re: A question about user tracking with QUIC
Message-ID: <9c036111-d787-0031-4457-8e79714f9571@huitema.net>
Date: Mon, 07 Jun 2021 22:09:04 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0
MIME-Version: 1.0
In-Reply-To: <CAKKJt-dN_TiArH+N2ufpDwq+YwF93Q9ko+j38==rDeVje3gLZw@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: quoted-printable
Content-Language: en-US
X-Originating-IP: 66.113.196.238
X-Spampanel-Domain: xsmtpout.mail2web.com
X-Spampanel-Username: 66.113.196.0/24
Authentication-Results: antispamcloud.com; auth=pass smtp.auth=66.113.196.0/24@xsmtpout.mail2web.com
X-Spampanel-Outgoing-Class: unsure
X-Spampanel-Outgoing-Evidence: Combined (0.15)
X-Recommended-Action: accept
X-Filter-ID: Pt3MvcO5N4iKaDQ5O6lkdGlMVN6RH8bjRMzItlySaT9WLQux0N3HQm8ltz8rnu+BPUtbdvnXkggZ 3YnVId/Y5jcf0yeVQAvfjHznO7+bT5x6h2yQpzTslcOqazQkKtAFKj/EwzSHE5FGYwwjsNRPCKUO i9rOEpW6oB1a8P3DNS7mD6wdmZPcItWbGe10hXJtXL4FsauCVkDjmcYJdU3yWp7KuHNaaKdg7iBE ZefdsNUFWKwa/wzJUjmazeC7Imca053GwGyhzY/+A1Bez9k2eBQ6V51u76v35b1wNe/MvdKAGdwU TZKlze5ERymXAD3v2+J9PgaoF8SQHto3le4zsHTaeQtlKubP6iUTjj6yPARK6buALVaA782LKxg6 vRmng8N1aLhXqdc+jC1RcnVud53D5caUhbVtvqItBqoizkEt9O20UjkwI0v+LOlw05G4BS+iyyNq bT8dUMXMJ4tUCMj6G37ZfAMLceP5aNHPt26RBupu5v1nytoNnc138GfEJRQ2qC7jjynPIHPNqSn4 QTXUjLjYWQt1/5xnQymMoPsgr/U0flMcy2Vi/IcBgY4arPaiJ1W6hAyiRC61jekdwIcXNugoOEbH RyFULpSjm7jZ1h/HfDRQ5Ig8VhPsPE8NaP2gA77cO7WeI9Ftai6fusD8g0IqoxA0+tq3OZe9KUhw Q9Ind1SpsMnvnqa/U2EIDRojSVizNl0ce/s7u0P9b9Tml6eOMCV9kYYwkPx6ZsXvIUzTXkDAiiJi mGhLUFuS2lhaIetXfCg1JdAVrOwKfEXMel4Vqy6tvtmGZuimga9UoFIvD3sIcP1fhJPM6B/8E9Gb f44eRN6g4CLrbxNgS+sKPivuiEBT3DrX8YQSK6qJ+dym1L8cD17Js0v4cp1M6vl0rJL43E+jV8lx fjK9RjcKVNeVJ9BXyu9+ceCqThTYg2px1fSoqxQCCHnLMo/m9VKh99btUAanjnMCAH2co+fBoeG+ Hs0afhsY/5zhNYWRVYKU9W9tbmVXJBqdHHDmZEKhyNAv1N35kYWaEdgLurFV5oTvAcwA4rM3FkfW 8/1kE/e7sUnsVpINvARNxpFO
X-Report-Abuse-To: spam@quarantine11.antispamcloud.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/If-9W_X_mLeLnGnfT2RxVif_N3o>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Jun 2021 05:09:17 -0000
On 6/7/2021 7:51 PM, Spencer Dawkins at IETF wrote: > This all seems very reasonable to me. The other question is about timing - > how urgent do people think this guidance is? I am not sure about that. The most urgent issue is the tracking via TLS session tickets, but that's exactly the same issue as TLS over TCP, it has been known for ages, and I am confident that browser developers are well aware of it. So the sky is not exactly falling. > > Christian characterized "if you don't want to be tracked when you migrate, > you probably shouldn't migrate" as a classic mitigation, and I'm also > wondering if we still have the classic level of concern about traceability. > If our level of concern has been increasing, that might make things more > urgent. But as you said, it's good for us to encourage other people to > express an opinion. Well, yes, but if instead of migrating the client starts a new session using a different IP address and use a session resumption ticket to speed up the process, it has not accomplished much. Same issue, if the client starts a new session using a different IP address and immediately identifies itself by entering a password or providing a cookie. So there is a bit of triage to be done between the cases. In the "logged on" case, the client is not in a position to avoid tracking. It could just as well migrate and enjoy the lower latency. But then, is there much real use of migration outside of "long connections in which the client has logged on the server?" Then there is the NAT rebinding case. The client does not voluntarily migrate, and the server just observes the packets coming from a new address. Too late to hide that, not much point in closing the session in the name of privacy. If clients really want to achieve address privacy and hide their location from a server on which they are often logged for long sessions, I think they should use a proxy or a VPN. Maybe we should discuss the trade-off of that too. And the various javascript APIs that surveillance scripts can use to ping servers outside the VPN and do some kind of triangulation. I hear that the Web RTC API have a rich surface for that. All that can become very confusing very quickly, which is why I think there is value in teasing out the scenarios and the various trade-offs. -- Christian Huitema
- Re: A question about user tracking with QUIC Robin MARX
- A question about user tracking with QUIC Stephane Bortzmeyer
- Re: A question about user tracking with QUIC Lucas Pardue
- Re: A question about user tracking with QUIC Stephane Bortzmeyer
- Re: A question about user tracking with QUIC Stephane Bortzmeyer
- Re: A question about user tracking with QUIC Mikkel Fahnøe Jørgensen
- Re: A question about user tracking with QUIC Stephane Bortzmeyer
- Re: A question about user tracking with QUIC Mikkel Fahnøe Jørgensen
- Re: A question about user tracking with QUIC Mikkel Fahnøe Jørgensen
- Re: A question about user tracking with QUIC Christian Huitema
- Re: A question about user tracking with QUIC Stephane Bortzmeyer
- Re: A question about user tracking with QUIC Stephane Bortzmeyer
- Re: A question about user tracking with QUIC Stephane Bortzmeyer
- Re: A question about user tracking with QUIC Töma Gavrichenkov
- Re: A question about user tracking with QUIC Roy T. Fielding
- Re: A question about user tracking with QUIC Lucas Pardue
- Re: A question about user tracking with QUIC Spencer Dawkins at IETF
- Re: A question about user tracking with QUIC Christian Huitema
- Re: A question about user tracking with QUIC Lucas Pardue
- Re: A question about user tracking with QUIC Spencer Dawkins at IETF
- Re: A question about user tracking with QUIC Christian Huitema
- IETF hosting vs. Github Stephane Bortzmeyer
- Re: IETF hosting vs. Github Willy Tarreau
- Re: IETF hosting vs. Github Lars Eggert
- Re: IETF hosting vs. Github Willy Tarreau
- Re: A question about user tracking with QUIC Behcet Sarikaya
- Re: A question about user tracking with QUIC Roberto Peon
- Re: A question about user tracking with QUIC Mirja Kuehlewind
- Re: A question about user tracking with QUIC Mirja Kuehlewind