W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: A proposal

From: Amos Jeffries <squid3@treenet.co.nz>
Date: Tue, 19 Nov 2013 14:54:28 +1300
To: ietf-http-wg@w3.org
Message-ID: <7de24172fdd57543f26b1cc970a5fd83@treenet.co.nz>
On 2013-11-19 13:15, Stephen Farrell wrote:
> Roy,
> 
> One request for clarification below:
> 
> On 11/18/2013 11:39 PM, Roy T. Fielding wrote:
>> On Nov 17, 2013, at 3:40 PM, Mike Belshe wrote:
>>> On Sun, Nov 17, 2013 at 3:27 PM, Roy T. Fielding wrote:
>>> Security is a systemic issue, not a protocol issue.  There is nothing
>>> secure about TLS or encryption.  There are merely some use cases in
>>> which the data crossing the wire can be made confidential to a given
>>> set of key holders, preferably controlled by the entity to which the
>>> user intends to communicate in confidence.  That level of 
>>> confidentiality
>>> is sufficient for many commerce use cases.  It does not provide 
>>> privacy.
>>> 
>>> Anyone who thinks adding TLS to plain HTTP will improve security,
>>> let alone privacy, needs to learn how TLS gets its security.
>>> Encryption is not magic pixie dust.
>>> 
>>> So your official statement is that TLS does not improve the security 
>>> or privacy of HTTP?
>> 
>> I don't make official statements.
>> 
>> rot13 improves privacy, if what you mean by "improve" is that there
>> exist some tools that do not currently read rotated clear text.
>> I don't think "improves privacy" is a useful description.
>> You either have privacy or you don't.
> 
> Security is less complicated than privacy and is definitely
> not a binary property. Privacy is at this point far less
> well defined, so I find the last statement above quite hard
> to accept. (In fact, I find it unbelievable.) However, privacy
> is so ill-defined that its possible you're using some
> definition that does support such a binary distinction. FWIW,
> I'd be hugely surprised if there were a useful definition in
> which privacy was a binary property of systems.

It assumes privacy is roughly equated with anonymity. Which is what the 
general user population most vocal about either privacy and anonymity 
are also equating. Requesting "cant spy on me" as opposed to accuracy of 
definition for privacy.


> 
> I suspect there's not much point in a blow by blow response
> if it turns out our terminology is miles apart in that
> respect, so can you provide or point at your definition of
> privacy such that its a binary property of systems?


I make the same point when debating anonymous proxy features with users.

They have a binary choice:
0) remove datum X which is used for tracking
1) obscure/replace datum X with Y

NP: What at first thought appears to be a third option "leave datum X 
alone" is actually the case of (1) when X==Y.

So for every action taken on a single users information is exposing at 
minimum 1 bit of information about that user. The level of anonymity is 
part of their uniqueness. Doing (2) only has benefit if Y is more common 
than X. Thus the special case of X==Y (status quo) is the common case of 
most benefit.


Tradoff is privacy vs security. It is exceedingly difficult to have both 
simultaneously. Perfect for both means being cut off from the 
communication channel entirely. Up to that point there is a weakest-link 
situation where the stronger either becomes the more vulnerable it is to 
holes in the other.

Privacy requires that no one user can be separated from the crowd. The 
safest action is to take N users data and jumble it all up - 
invisibility/anonymity/privacy by obscurity. Encryption / signing 
prohibits these protection actions.

TLS and similar end-to-end channels offer clear end-to-end separation of 
each individual clients data (albeit encrypted). Such that individual 
user tracking improves to near 100% capability for any Big Brother 
entity. Each endpoint has full tracking ability for the connection, and 
big brother in the middle is provided with the guarantee that all bits 
of the stream are present and in the sequence visible to it.

Traffic which is allowed to be multiplexed by middleware becomes a far 
more jumbled "mess" of packets/frames across the network. The endpoints 
have no change to their abilities, but Big Brother in the middle has 
lost the guarantee of seeing everything at a single choke point, or 
getting it in the right order to identify an individual. It can still do 
that, but must cast a far wider net for less gain.

High quality protection ("security", "privacy", whatever you want to 
call it) is best when it involves a mixture of the two approaches. 
Encrypting what needs to be hidden while simultaneously jumbling the 
critical bits amidst similar chaff from numerous other sources (on the 
server end) or destinations (on the client end). This is one key 
security property a middleware topology (dare I call it "cloud"?) 
offers.

Amos
Received on Tuesday, 19 November 2013 01:54:54 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:19 UTC