RE: Privacy holes

[Praveen Balasubramanian <pravb@microsoft.com>]

It's not just the server information. Its timing information that is far more valuable for the adversary. Not all clients will failover from wifi to cellular at the same time and hence the correlation will be very strong. You just need a few failover events in a day for a very strong correlation. What also makes this easy is that In a capture, a migration looks very different than a new connection. The attack seems very practical for a powerful adversary.

>> I don't like the general line of reasoning that "because there is another hole here, we should not fix this hole there."
I didn't state this and incremental progress is useful. I was simply trying to list possible privacy holes since that was the question on this thread.

>> we can start using multiple addresses per server, or maybe some form of onion routing, or some CDN trick
In an ideal world yes. But most deployments will be incremental on current infra.

>> But if we stick a clear text ID in the headers, we lose
This is too broad - sticking the *same* cleartext ID is a problem. Different cleartext IDs is no different than using encryption i.e. make clear text fields look like a new connection on the wire. 

-----Original Message-----
From: QUIC [mailto:quic-bounces@ietf.org] On Behalf Of Christian Huitema
Sent: Wednesday, April 11, 2018 5:17 PM
To: quic@ietf.org
Subject: Re: Privacy holes



On 4/11/2018 12:18 PM, Praveen Balasubramanian wrote:
> Going back to Christian's original question on privacy holes, there is an attack for linking IP addresses in the voluntary migration case.
>
> Let's consider the parking lot problem or in general case losing one network and roaming to another network. This is the primary use case for connection migration. In this case all active QUIC connections that can migrate, will do so. When these connections migrate they can change the CID, the local port number and packet numbers. However do notice that only the local 2-tuple changes for each connection, the server's 2-tuple remains the same. 
>
> Let's assume a powerful adversary can collect a network sniff of all this traffic and builds a massive dataset. The adversary can then run a machine learning algorithm to identify time instants where a bunch of connections change their local 2-tuple at near the same time instant but continue going to the same server side 2-tuples. This will allow the adversary to link two IP addresses. The more times the user roams between networks back and forth the richer the correlation. The more open connections to different servers, the richer the correlation. Geolocation information can minimize the number of addresses the adversary needs to correlate. 
>
> The fundamental problem seems to be that the substrate is UDP/IP and it is in the clear and allows linkability. 

The server 2-tuple does provide some information, but we should not overstate it. One element of the 2-tuple, the port number, is likely to be set to 443 for pretty much all servers, so I don't think it is terribly useful. The IP address is useful, but in many cases these address will be shared by a large number of connections, either because it is a big service like Microsoft.com, or because it ends in some kind of CDN.

I don't like the general line of reasoning that "because there is another hole here, we should not fix this hole there." If you accept that, you end up with so many unpatched holes that the situation is indeed hopeless. But if we fix now the holes that we can fix, and if other holes prove important, we can fix them later. For example, if tracking by IP is an important problem, we can start using multiple addresses per server, or maybe some form of onion routing, or some CDN trick. But if we stick a clear text ID in the headers, we lose.

-- Christian Huitema