IETF Logo Mail Archive

Re: [Trans] AD Review: draft-ietf-trans-gossip-04

Tom Ritter <tom@ritter.vg> Mon, 05 March 2018 16:31 UTC

Return-Path: <tom@ritter.vg>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 341161270AC for <trans@ietfa.amsl.com>; Mon, 5 Mar 2018 08:31:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ritter.vg
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rhtuglVofRXn for <trans@ietfa.amsl.com>; Mon, 5 Mar 2018 08:30:52 -0800 (PST)
Received: from mail-qk0-x229.google.com (mail-qk0-x229.google.com [IPv6:2607:f8b0:400d:c09::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8648312D940 for <trans@ietf.org>; Mon, 5 Mar 2018 08:30:52 -0800 (PST)
Received: by mail-qk0-x229.google.com with SMTP id f25so21322103qkm.0 for <trans@ietf.org>; Mon, 05 Mar 2018 08:30:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ritter.vg; s=vg; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=RJmdTtdbdCpFq1VuYtgx5CIxGBvYunm5JVmYBFedJkU=; b=HfyUulmYEDY+PfZ0qmrbnr5Bsq/vZj646f1kLuF1hMOYVoxY596qNqQlnmboynlIQt EgaexqTa51tCJ0cIO93SeKuoQjk8OZY31/ZCHWeoofPaJbm/zkY8eFqsm/tz3PNtT8Ce 6hgwKvGcK55TZa1vz3CsM4f8qW/aeqzRDTiiY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=RJmdTtdbdCpFq1VuYtgx5CIxGBvYunm5JVmYBFedJkU=; b=a3QYVo6BnnEZyJ8BUMI3b572Mqw1wKa0k7rp6yrDBlgLEOf8JgRl9kPmwCwpObKjS1 1yrXNxzQeZ/KMtjWxXsbsp81XVUpuPGMg0CdvrgQh1bNKdK8iEHqEX8ohm3X7CahLLzy uOHjkkH0jbi387M6FzCCU/T6pPs3ZKpprA4wD7nHTaXREa6TsAaXUlCrffw6J5zsxCLk UczXrw0U4f5PFCbpyN/MC6ZnJTmiAZhroDCDMCnIrQP4JcgNdgtuXKCyOaA5nvV2Q9vn qHs7U1aqkISAzYbRI6931sIqGWi7WYEnzpYmgOTw3zS267CSHDqfwIjFCKzan3vOnZ5c 90IQ==
X-Gm-Message-State: AElRT7FekemsGarcoB69cJEV8yTgmDX4Lx/Gr1BCWIrW7O1U1M291YwP K1o+y19AIqawhwI817lGBgu893lrBN4vwZCz7KwF2U7lKYg=
X-Google-Smtp-Source: AG47ELsIYB+RlFaAgD7jRA/RFM1UNvpysrB+w6+ivQY95RV+gx8FJOM/LEKXvmss1vEatzUPO5igtip63jPsM7gkkWE=
X-Received: by 10.55.217.220 with SMTP id q89mr23388793qkl.64.1520267451232; Mon, 05 Mar 2018 08:30:51 -0800 (PST)
MIME-Version: 1.0
Received: by 10.140.80.144 with HTTP; Mon, 5 Mar 2018 08:30:30 -0800 (PST)
In-Reply-To: <CABcZeBPX5m1OstXihmiMmc9QaBQ_uroyGLv-6-7QoupVYOdPjA@mail.gmail.com>
References: <CABcZeBM6=26ojcoMfkq5205z7UvCSQuhkg0PrR2_bjP-ps7W0g@mail.gmail.com> <87inc8osk3.fsf@nordberg.se> <874lnrpi2v.fsf@nordberg.se> <CABcZeBPX5m1OstXihmiMmc9QaBQ_uroyGLv-6-7QoupVYOdPjA@mail.gmail.com>
From: Tom Ritter <tom@ritter.vg>
Date: Mon, 05 Mar 2018 10:30:30 -0600
Message-ID: <CA+cU71khsCHUWH-xqV4BX42jNGVKXT=qAgDnafzavZ7jEg+pDw@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: Linus Nordberg <linus@sunet.se>, Trans <trans@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/trans/nuGKw7WVmKE-RHf_HU9mUb_7u5E>
Subject: Re: [Trans] AD Review: draft-ietf-trans-gossip-04
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Mar 2018 16:31:00 -0000

On 24 February 2018 at 14:45, Eric Rescorla <ekr@rtfm.com> wrote:
>
>
> On Fri, Jan 12, 2018 at 1:00 AM, Linus Nordberg <linus@sunet.se> wrot
>>
>>
>> > View Inline
>> > <https://mozphab-ietf.devsvcdev.mozaws.net/D14#inline-389>draft-ietf-trans-gossip.txt:417
>> > treats other security mechanisms that can enable tracking (such as
>> > HSTS and HPKP.)
>> >
>> > What is that manner? As far as I can tell, it's "do nothing special"
>>
>> HSTS and HPKP are special, they often have subtly different behavior
>> than other things. For example, they are generally shared from the
>> normal browsing context into a Private Browsing Mode, which is different
>> from nearly every other thing that can enable tracking.
>>
>> We're under the impression that browser makers are keeping an eye out
>> for actual uses of HSTS and HPKP for tracking, and if it becomes a
>> problem, they may close the Private Brrowsing Mode population behavior.
>
>
> Yeah, I think this document should provide some guidance here.

I'm sending https://github.com/tomrittervg/draft-ietf-trans-gossip/commit/1389c9c6f9cab15851b88f0d0ca21ca2b6c9d89e
to Linus for this.



>> > View Inline
>> > <https://mozphab-ietf.devsvcdev.mozaws.net/D14#inline-390>draft-ietf-trans-gossip.txt:434
>> > The data sent in the POST is defined in Section 8.1.1. This data
>> > SHOULD be sent in an already-established TLS session. This makes it
>> > hard for an attacker to disrupt SCT Feedback without also disturbing
>> >
>> > See above about the privacy implications of creating a new connection.
>>
>> What privacy implications are you refering to here?
>
>
>
> "This is not necessarily the case. Consider the situation where I contact a
> site from location A, retrieve an SCT, and then when I start my browser in
> location B, don't visit the site, but send the SCT. This links the two
> locations. You need to also restrict the delivery of SCT Feedback to organic
> connections to the site. The text doesn't seem to contemplate non-organic
> feedback but it doesn't prohibit it either."


I believe we addressed the organic/non-organic with
https://github.com/ln5/draft-ietf-trans-gossip/commit/7c2c55b8e4c2de092f95675185446d85d36361d7



>> > View Inline
>> > <https://mozphab-ietf.devsvcdev.mozaws.net/D14#inline-400>draft-ietf-trans-gossip.txt:804
>> > proofs from that third party could be considered reasonable from a
>> > privacy perspective. The HTTPS client may also do its own auditing
>> > and might additionally share SCTs and STHs with the trusted party to
>> >
>> > Why would this be the case?
>>
>> Are you questioning why it could be considered reasonable to share
>> gossip data with any of the suggested types of third party
>> organisations?
>
>
> The former.\


Hm. I tried to loosen the language to be less suggestive that any of
these are by default reasonable, and suggest that they could be
reasonable in different situations.

https://github.com/tomrittervg/draft-ietf-trans-gossip/commit/077d99346b027bfeae11a276afb435bb32f1f63d


>> > View Inline
>> > <https://mozphab-ietf.devsvcdev.mozaws.net/D14#inline-405>draft-ietf-trans-gossip.txt:996
>> > HTTPS clients are afforded the greatest chance of detecting an attack
>> > when they either participate in both SCT Feedback and STH Pollination
>> >
>> > "greatest chance" isn't that encouraging. Please actually quantify this
>> > in
>> > some way.
>>
>> Do you think that the document is lacking text on _why_ a client has the
>> greatest chance of detecting an attack when $foo? Or are you asking for
>> reasoning about how large the chance of detecting an attack might be?
>
>
> The second.


Without reviewing an implementation and browsing habits, I don't know
how I would go about quantifying that.

If we assumed an unbounded cache size, a user that never cleared their
history, used the browser daily, an open and populated system for STH
Pollination, and the misbehaving log issued a 'bad' STH: the chances
of it getting detected seem to be near-certain.

If the misbhaving log didn't issue a STH; but the website in question
participated in SCT Feedback; and auditors polled it, then again:
near-certain.

But if users clear their history, or get attacked in private browsing
mode; or they use their browser infrequently; or the browser sets a
very low cache size for the data it stores and the attacker wants to
flush it.... the chances will go down.


>> > View Inline
>> > <https://mozphab-ietf.devsvcdev.mozaws.net/D14#inline-413>draft-ietf-trans-gossip.txt:1283
>> > from a CT log that it doesn't accept SCTs from. An HTTPS client
>> > SHOULD regularly request an STH from all logs it is willing to
>> > accept, even if it has seen no SCTs from that log.
>> >
>> > Is any HTTPS client actually planning to do this?
>>
>> We have no idea.
>>
>> WG: Do you know of any HTTPS client planning on implementing _any_ of
>> the methods described in this document?
>
>
> A SHOULD Seems pretty silly if the answer is "no"

I don't have strong feelings about the clients regularly getting a STH
directly from the log. I'm fine with removing it, but I think Linus
liked this, so I'll let him think about it.



>> > View Inline
>> > <https://mozphab-ietf.devsvcdev.mozaws.net/D14#inline-416>draft-ietf-trans-gossip.txt:1431
>> > SHOULD send gossip data in an already established TLS session. This
>> > can be done through the use of HTTP Pipelining, SPDY, or HTTP/2.
>> >
>> > My understanding is that almost nobody currently does pipelining.
>>
>> Okay, but it's still part of the HTTP standard, is it not? It seems like
>> it's still a valid example of a measure that would achieve our desired
>> goal here.
>
>
> I don't think it's sensible to suggest that people do things we know they
> won't.

We're not actually saying they should use Pipelining, we're saying
it's an example of the type of technique we would like them to use
(along with SPDY - which doesn't really exist anymore I think - and
HTTP/2). It's illustrative.

-tom

v2.23.0 | Report a Bug | By Email