W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2012

Re: HTTP2 Expression of Interest

From: Nicolas Mailhot <nicolas.mailhot@laposte.net>
Date: Wed, 18 Jul 2012 21:37:39 +0200
Message-ID: <81875c643f0ad9cf72c228694f5c339d.squirrel@arekh.dyndns.org>
To: "Yoav Nir" <ynir@checkpoint.com>
Cc: "Nicolas Mailhot" <nicolas.mailhot@laposte.net>, "Mike Belshe" <mike@belshe.com>, "Phillip Hallam-Baker" <hallam@gmail.com>, "Adrien W. de Croy" <adrien@qbik.com>, "Rajeev Bector" <rbector@yahoo-inc.com>, "Martin Thomson" <martin.thomson@gmail.com>, "Martin J. Dürst" <duerst@it.aoyama.ac.jp>, "Doug Beaver" <doug@fb.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>

Le Mer 18 juillet 2012 16:03, Yoav Nir a écrit :
> Wow. It's like I have to run to the other side of the table to argue for
> the other side…
>
> On Jul 18, 2012, at 4:24 PM, Nicolas Mailhot wrote:
>>
>> That being said:
>>
>> 1. I don't read the bank (or other correspondence) of my users
>>
>> 2. I'm not asked to read the bank (or other correspondence) of my users,
>> either by management or a police state (divulging it would take a legal
>> injunction I think, never had to deal with those)
>
> It's a good thing that you don't read bank transactions and that you don't
> get asked to. But you could read the bank transactions if you wanted to
> (or were asked to).

No one is going to ask me to do so. Much simpler to hire some shady
character to deploy a keylogger on the target user computer, and no need
to involve an honest general-purpose network joe like me. Your threat
assessment is faulty.

> If the data goes over HTTP you can do it with
> something as simple as TCPDUMP. If it goes over SSL, you'll need a TLS
> proxy.  The security issue is not that you want to do it, but that you and
> others with similar jobs to yours can do it.

The security issue is that the protocol is not well behaved and does not
let users negotiate the level of protection they deem necessary and which
is possible to negotiate in a particular social setting. The protocol is
an absolute god-awful under-specified mess that leaves users at the mercy
of web sites, intermediaries and browser writers. Instead of giving users
the tools to assess and control connexion state, so they are able to
perform this negotiation (which they are the *only* ones legitimate to
perform) browsers and big sites have embarked in an anal blind quest to
apply TLS everywhere and *that* is the reason there are MITM ssl
interception boxes sprouting right and left today.

In an all-or-nothing world users get *nothing* on networks where they are
guests if the protocol and tools do not provide them the means to behave
like guests.

In an all-or-nothing world me and other intermediary operators get total
control because there is no middle knob between no control and total
control, and no control is not acceptable to the network owner who has
veto power by definition.

It's no use advertising the triply iron-clad TLS door to a social site
when said social site leaks user information like a sieve, often
deliberately. Not only it is not helping the user it's actively deceiving
him.

The day the protocols and tools help user check what is send in clear,
what had been integrity checked, what has been crypted, by whom and to
whom (and whom send the various error pages), and decide themselves what
they want (to they allow middlemen to accelerate or malware-check some
elements ; do they insist that others must be totally opaque even at the
cost of losing connection on networks they do not control) then people can
claim they are pro-users.

(it's not rocket science, it's just defining a protocol that permits
different compromise levels, providing means to users to tag accesses as
belonging to one category or the other, and having the web client
negotiate automatically the best compromise it can on the available
networks. And yes that would also permit users to bloc collection of data
by advertisers and other commercial entities if they wish so)

All the mashup, sharding, clouding, ajaxy stuff while convenient for web
site and browser developers has resulted in a mess no normal user could
identify any trust domain in. No amount of TLS-ing is going to fix the
trust problem. Multiplexing will make the situation worse, not better. So
please instead of continuing to make choices for the users please make
http connexions simpler to understand by users so they can make educated
security decisions (and putting grocery shopping on the same level as bank
account accesses is no making connexions simpler to understand it shows
users you don't give a fig about their actual needs).

I defy any of the pro-crypto people here to poll random people in the
street and make them say they'd rather have the internet become even more
complex and opaque, to provide total confidentiality, instead of being as
simple to use as a wired phone (even if everyone knows governments can
wiretap wired phones)

>> 3. When confidential (company or user) data leaks it's always at the
>> server endpoints, usually because those endpoints didn't care a bit
>> about
>> user data confidentiality.
>
> Well, we know that some countries monitor traffic for censorship and to
> discover dissidents. Most would call this data leakage, and it's not at
> the endpoints.

I'm quite sure those countries also read dissident blogs and social sites
and that they get more info this way than by monitoring traffic.

>> 12. we absolutely do *not* want to eavesdrop on bank accesses,
>> e-government forms, etc. We'd much prefer if such a traffic could be
>> send
>> in encrypted payloads with in-clear routing metadata (there I differ a
>> bit
>> from Willy, but I accept he has customers with stricter requirements
>> than
>> ours)
>
> Does "we" include the no such agency?

The no such agency has backdoors in all the big US web sites that want to
save people in other countries from spying with TLS. It does not even need
to profile people anymore those sites are doing it openly and for free in
its stead. With likedin it can downsize its economic intelligence arm too
(or even peek directly at data processed in the clouds of Amazon &
friends)

This is spook paradise

> Does it include its counterparts in Iran and Syria?

I'm sure they will catch up on the new way of offloading intelligence to
web site operators soon if they haven't yet. The Chinese certainly did a
long time ago.

>There are all sorts of people installing middleboxes.

And there are all sorts of people that do not want to be made targets
because their technology provider decided it was smart to make them go
dark and behave like enemies of the state.

You don't solve political problems with simplistic binary technical
changes (especially when you focus on the element which is not the worst
problem today). Governments and populations adapt either way. And just
because some populations do not like their government does not necessarily
mean they prefer to give the keys of their lives to facebook or google
(which is what will happen with a system too complex to control by anyone
but first-rank websites)

-- 
Nicolas Mailhot
Received on Wednesday, 18 July 2012 19:38:28 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 18 July 2012 19:38:34 GMT