IETF Logo Mail Archive

Re: [saag] Ubiquitous Encryption: content filtering

Natasha Rooney <nrooney@gsma.com> Tue, 23 June 2015 12:32 UTC

Return-Path: <nrooney@gsma.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B19D1A000A for <saag@ietfa.amsl.com>; Tue, 23 Jun 2015 05:32:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zcYUjXpoEC-O for <saag@ietfa.amsl.com>; Tue, 23 Jun 2015 05:32:40 -0700 (PDT)
Received: from emea01-am1-obe.outbound.protection.outlook.com (mail-am1on0651.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe00::651]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CE82B1A0004 for <saag@ietf.org>; Tue, 23 Jun 2015 05:32:39 -0700 (PDT)
Received: from HE1PR04MB1033.eurprd04.prod.outlook.com (10.162.26.142) by HE1PR04MB1033.eurprd04.prod.outlook.com (10.162.26.142) with Microsoft SMTP Server (TLS) id 15.1.195.15; Tue, 23 Jun 2015 12:32:23 +0000
Received: from HE1PR04MB1033.eurprd04.prod.outlook.com ([10.162.26.142]) by HE1PR04MB1033.eurprd04.prod.outlook.com ([10.162.26.142]) with mapi id 15.01.0195.005; Tue, 23 Jun 2015 12:32:23 +0000
From: Natasha Rooney <nrooney@gsma.com>
To: saag <saag@ietf.org>
Thread-Topic: [saag] Ubiquitous Encryption: content filtering
Thread-Index: AQHQqZyD4d9shmwZoUiA42dbZLPz/J2zz0uAgAAQJoCAACwngIAE9FYAgAANCgCAAANWAIAAevYAgABD5wCAAANQgIAABgoAgAAH1wCAAC24AA==
Date: Tue, 23 Jun 2015 12:32:23 +0000
Message-ID: <A03F39DE-EFF0-4769-B218-37816296BB02@gsma.com>
References: <99DC814A-2B7D-4802-A1C7-399E77F37BD7@gsma.com> <CABtrr-U9kLfq4GQbWSgPN=wCD=Cdi0uQ+bQqXj35j+PFtuE8Pg@mail.gmail.com> <A4BAAB326B17CE40B45830B745F70F108E070156@VOEXM17W.internal.vodafone.com> <55844743.4030300@cs.tcd.ie> <55886F38.4030906@bbn.com> <20150622211207.GM6117@localhost> <DM2PR0301MB06554ECDB1166C32CF70366CA8A10@DM2PR0301MB0655.namprd03.prod.outlook.com> <CA+cU71ksYZpzg_7jX1xz3aqg-ZVMC-22hCevATrgmHj3h5bVrA@mail.gmail.com> <DE85F7A6-A8F6-48FA-8AAA-EF8ECE17B73E@gsma.com> <CAHbuEH4Rp4DQCRJiED3vKRco8+boLzpZqnp5OZPhhsLuxP7G9g@mail.gmail.com> <627A7DEB-9BD0-46FA-A4D8-BB448C2BCB16@gmail.com> <CAHbuEH5VC4Uxdvg+oQjwLLbnLnUcXx3uH4rZNZhNwXPsEXHgPA@mail.gmail.com>
In-Reply-To: <CAHbuEH5VC4Uxdvg+oQjwLLbnLnUcXx3uH4rZNZhNwXPsEXHgPA@mail.gmail.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.2098)
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [212.31.90.49]
x-microsoft-exchange-diagnostics: 1; HE1PR04MB1033; 5:+EgLiHdLp3s1QUVY+mFdy8AsZ3Lw1ttfZb6N30z7UWVhTJ5sfwB1V/n176S/lDLAE2XBKVhOW12NagMYeYrw2kpjWRIW8PjnQxvRQJDI4YfCHIXpe2kpJIP64k4d7PcLJ4Ttu5RMPthFzUr45e6oMA==; 24:tEqIgIS1YDLCPPxC9Iam/oClOmodaG7xQ8Cia9OBB4mtiJUTtDN3VZuICxbDq1OR2HQfn13BxEap7B6RVtIlLV//l6L8XFCXR3eWOe0N+ZQ=; 20:n3AYCASYqs2P31SP6BAvBUQHj6srgrhIsprs6bann6LRON0YMf36D/lgnYrmIjZsp2rti4NDAi6LgUCFjrQWaw==
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:HE1PR04MB1033;
x-microsoft-antispam-prvs: <HE1PR04MB1033A3CDBE50DDC6E9AAC449C3A00@HE1PR04MB1033.eurprd04.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(5005006)(3002001); SRVR:HE1PR04MB1033; BCL:0; PCL:0; RULEID:; SRVR:HE1PR04MB1033;
x-forefront-prvs: 06167FAD59
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(164054003)(51704005)(53754006)(51914003)(24454002)(377454003)(16236675004)(87936001)(2656002)(57306001)(36756003)(5890100001)(102836002)(2950100001)(122556002)(82746002)(50226001)(77096005)(5002640100001)(2900100001)(189998001)(40100003)(92566002)(46102003)(450100001)(77156002)(62966003)(66066001)(110136002)(76176999)(107886002)(5001960100002)(86362001)(93886004)(83716003)(33656002)(19580405001)(50986999)(19580395003)(106116001)(104396002); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR04MB1033; H:HE1PR04MB1033.eurprd04.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
Content-Type: multipart/alternative; boundary="_000_A03F39DEEFF04769B21837816296BB02gsmacom_"
MIME-Version: 1.0
X-OriginatorOrg: gsma.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Jun 2015 12:32:23.2008 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72a4ff82-fec3-469d-aafb-ac8276216699
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR04MB1033
X-MS-Exchange-CrossPremises-AuthAs: Internal
X-MS-Exchange-CrossPremises-AuthMechanism: 04
X-MS-Exchange-CrossPremises-AuthSource: HE1PR04MB1033.eurprd04.prod.outlook.com
X-MS-Exchange-CrossPremises-SCL: 1
X-MS-Exchange-CrossPremises-messagesource: StoreDriver
X-MS-Exchange-CrossPremises-BCC:
X-MS-Exchange-CrossPremises-originalclientipaddress: 212.31.90.49
X-MS-Exchange-CrossPremises-avstamp-service: 1.0
X-MS-Exchange-CrossPremises-disclaimer-hash: 78ca8040c6722e32c2f5b0a45bf37e74b9409d645a53be96aa19958e0cee0f00
X-MS-Exchange-CrossPremises-antispam-scancontext: DIR:Originating; SFV:NSPM; SKIP:0;
X-MS-Exchange-CrossPremises-processed-by-journaling: Journal Agent
X-OrganizationHeadersPreserved: HE1PR04MB1033.eurprd04.prod.outlook.com
Archived-At: <http://mailarchive.ietf.org/arch/msg/saag/9_Hb6cIdgkoTkmcaGbV-aPrek8Y>
Subject: Re: [saag] Ubiquitous Encryption: content filtering
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Jun 2015 12:32:44 -0000

Hi all!

Thanks for the comments on this. I rewrote some items given some feedback I received (Joe: I am worried that I didn’t expand on your points enough, please let me know if I should add something!):


2.3.X Content Filtering
Service Providers may, from time to time, be requested by law agencies to block access to particular sites such as online betting and gambling, sites promoting anorexia, or access to dating sites.*1 Content Filtering can also happen at the endpoints.

Content filtering in the mobile network usually occurs in the core network. A proxy is installed which analyses the transport metadata of the content users are viewing and either filters content based on a blacklist of sites or based on the user’s pre-defined profile (e.g. for age sensitive content). Although filtering can be done by many methods one common method occurs when a DNS lookup reveals a URL which appears on a government or recognised block-list. The subsequent requests to that domain will be re-routed to a proxy which checks whether the full url matches a blocked url on the list, and will return a 404 if a match is found. All other requests should complete.

Even in encrypted connections transport and lower layer metadata is able to be viewed so for many systems content filtering should be able to continue. Cases when they may not work is when TLS proxies are being used which obscure metadata with the proxy metadata, and future versions in HTTP and TCP may encrypt metadata again stopping content filtering software from working (this is currently not the case and has not been standardised). *2

Some sites involve a mixture of universal and age-sensitive content and filtering software in these cases may use more granular (application layer) metadata to analyse and block; this will not work on encrypted content.


I wanted to add two more sentences, but an IETFer gave me some advice today to say that I should only state facts, and not any leading or presumptive items, in such a submission. In which case I removed these two sentences, but you may find it benefit to include them:


  *   "Some mobile operators utilising licenced spectrum must adhere to regulations set by the government licensor, which include content filtering, or risk fines/licence suspension" at *1
  *   "Regulators that impose these censorship rules may look for other means if current methods stop working." at *2.

Also, I am happy in knowing that IETF won’t work on mitigating any sort of censorship, just that this exists as a reference. I also liked the idea of returning information to the user about what is happening so they can make decisions about their browser, provider, or who they’re voting for! Comments always welcome - thanks for the responses so far!

Natasha


Natasha Rooney | Web Technologist | GSMA | nrooney@gsma.com<mailto:nrooney@gsma.com> | +44 (0) 7730 219 765 | @thisNatasha | Skype: nrooney@gsm.org<mailto:nrooney@gsm.org>
Tokyo, Japan


On Jun 23, 2015, at 11:48 AM, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com<mailto:kathleen.moriarty.ietf@gmail.com>> wrote:



On Tue, Jun 23, 2015 at 5:20 AM, Yoav Nir <ynir.ietf@gmail.com<mailto:ynir.ietf@gmail.com>> wrote:

> On Jun 23, 2015, at 11:59 AM, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com<mailto:kathleen.moriarty.ietf@gmail.com>> wrote:
>
> Thanks for the discussion on this, it's helpful to get this right for documentation purposes.  I'd split out MiTM activities of this sort for enterprises vs. the same done at the service provider level because of employee agreements.  I also choose not to go to many sites from behind a firewall and hope others do too when signaled that there is a certificate mismatch.

I’m not sure if that distinction is meaningful. The technology for interception is the same whether it is used to scan downloaded files for malware or to scan Facebook posts for insufficient appreciation of our Dear Leader.

Sure, I'm aware the same technique is sometimes used for both scenarios, but not always.  It's easy for a company with an agreement to set up a proxy that has 2 TLS sessions, one between the user and proxy and the other from the proxy to the destination site.  Other techniques have been used (see UTA's TLS attack RFC - 7457) at the service provider level, including stopping the STARTTLS negotiation.

Some have used techniques that are less visible to the user.  As problems are fixed in the protocol, what is done shifts of course.



Employees in a corporate environment are supposedly informed, but corporate computers and devices may come pre-installed with the interception certificate. Even as a conscientious vendor, there is no way I can enforce that corporate IT properly informs the employees.

I'm sure this varies between regions.  I just think enterprises can be more deliberate about it with user agreements and not worry about error messages.  Sure, the sam thing can be done in a pre-installed way, but a user can check the certs if they know enough.


Similarly, we’ve seen interception used at service providers at the behest of governments. In some countries devices come pre-installed with the government interception certificate. This makes it transparent to the citizens. Again, it would be nice if citizens at least knew this was happening, but those governments tend to not be “nice”.  At least ISPs don’t have the power to manipulate the endpoints (though in the early days of broadband they would ask you to install a “dialer” - if I were a more suspicious person…), but they do when they work for the government.

Yes and that's scary.  I think the distinction is acceptability of the approach in environments like work, since your time is paid for.  Documenting this in two stages would be good as approaches to resolve may be different.  The TLS 1.3 work to use pre-shared keys negotiated via DNS should certainly help on this angle.  Enterprises may choose to block access to some sites, where other options might be used by governments or others trying to MiTM traffic.


Ideally a solution would reveal the presence of a MITM to both client and server.

That would be good.
All solutions discussed thus far can reveal things to the client, but do nothing for the server. I would like to have servers such as financial institutions and medical services be able to enforce a policy where they don’t provide a service through a middlebox. Doing it now requires installing their own client on the user’s machine, which seems to be a trend in mobile, but is not something we should require.

Yoav

Thanks,
Katheen



--

Best regards,
Kathleen


This email and its attachments are intended for the above named only and may be confidential. If they have come to you in error you must take no action based on them, nor must you copy or show them to anyone; please reply to this email or call +44 207 356 0600 and highlight the error.

v2.23.0 | Report a Bug | By Email