W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: New Version Notification for draft-snell-httpbis-keynego-01.txt

From: Mark Nottingham <mnot@mnot.net>
Date: Wed, 20 Nov 2013 10:50:21 +1100
Cc: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-Id: <A2FCBC5B-CD83-4373-A80F-08AD860FAFD6@mnot.net>
To: James M Snell <jasnell@gmail.com>
Thanks, James. A number of people have contacted me privately to express interest in a SHTTP-like approach, so it's good to see proposals written down.

For me, one of the key questions about this general approach is whether the extra information leakage will be acceptable. I.e., an attacker will now know the "shape" of messages -- request and response -- on the wire, including their timing, size, relationships, etc. 

It's easy to imagine a way to characterise interactions with a given Web site and thus be able to correlate the observed messages with certain activities; e.g., "Bob is surfing the login page now, because he sent four requests, one request was significantly larger (due to a payload body on a POST), and the responses were of such-and-such a size." 

Is this significantly worse than HTTPS? AIUI TLS has leakage too, but it doesn't seem like it's as much as this would offer. I'd love to hear the security folks' opinions on that.

Cheers,


On 20/11/2013, at 8:13 AM, James M Snell <jasnell@gmail.com> wrote:

> At Mark's urging, I've posted a significantly updated draft of the
> "in-session key negotiation" draft that I had published last year.
> Please treat this as purely experimental at this point. I am not
> pushing this as a proposal just yet, just offering it up as one
> possible approach to providing message-level security as opposed to
> transport-level security. What this proposal does, in effect, is make
> it possible to negotiate and use cryptographic keys from *inside* an
> HTTP/2 connection as opposed to the TLS approach. A key benefit of
> this approach is that it allows peers to establish secure
> communication even over potentially insecure transports. Of course,
> it's not a perfect solution.
> 
> As always, feedback is welcomed and requested.
> 
> - James
> 
> 
> ---------- Forwarded message ----------
> From:  <internet-drafts@ietf.org>
> Date: Tue, Nov 19, 2013 at 1:08 PM
> Subject: New Version Notification for draft-snell-httpbis-keynego-01.txt
> To: "James M. Snell" <jasnell@gmail.com>
> 
> 
> 
> A new version of I-D, draft-snell-httpbis-keynego-01.txt
> has been successfully submitted by James M Snell and posted to the
> IETF repository.
> 
> Filename:        draft-snell-httpbis-keynego
> Revision:        01
> Title:           HTTP/2.0 Intra-Connection Negotiation
> Creation date:   2013-11-19
> Group:           Individual Submission
> Number of pages: 6
> URL:
> http://www.ietf.org/internet-drafts/draft-snell-httpbis-keynego-01.txt
> Status:          http://datatracker.ietf.org/doc/draft-snell-httpbis-keynego
> Htmlized:        http://tools.ietf.org/html/draft-snell-httpbis-keynego-01
> Diff:            http://www.ietf.org/rfcdiff?url2=draft-snell-httpbis-keynego-01
> 
> Abstract:
>   This memo describes a proposed modification to HTTP/2.0 that
>   introduces the concepts of Intra-Connection Negotiation and Secure
>   Framing.
> 
> 
> 
> 
> Please note that it may take a couple of minutes from the time of submission
> until the htmlized version and diff are available at tools.ietf.org.
> 
> The IETF Secretariat
> 

--
Mark Nottingham   http://www.mnot.net/
Received on Tuesday, 19 November 2013 23:50:48 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:19 UTC