W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2014

Re: HTTP/2 and Pervasive Monitoring

From: Mark Nottingham <mnot@mnot.net>
Date: Fri, 15 Aug 2014 18:56:40 +1000
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <DE8B5174-864A-4514-B2DC-6F1742535A8C@mnot.net>
To: Greg Wilkins <gregw@intalio.com>
Greg - please have a read of the BCP, which says some things that are very similar to your statements.

No protocol effort can claim to “solve” it — it would be ludicrous to say we could — but by the same token, we can’t (as per the BCP) bury our heads in the sand and not consider the PM-related consequences of our protocol design.

 (I think we’re in violent agreement here)


On 15 Aug 2014, at 4:00 pm, Greg Wilkins <gregw@intalio.com> wrote:

> On 15 August 2014 12:58, Mark Nottingham <mnot@mnot.net> wrote:
> It's safe to say that pervasive monitoring is very relevant to HTTP.
> I'm not so sure about this.
> The vast bulk of PM issues, at least as they are discussed in Australia are related to the collection and retention of meta data.  Who you talked to, when you connected, how much data, who you connected to next, etc.      While I'm sure inspection of content is also an issue, it is secondary to the meta data issues.  Also many of the players involved in PM attacks have access to the unencrypted end points, so transport encryption is a long way off being a silver bullet for protection from PM
> There is very little that we can do within a protocol like HTTP to address the such meta data collection.     More over, the problems that we face are similar to PM issues that other application protocols face.  SMTP, POP, IMAP, Websocket, IRC, SIP etc. all need similar protection as HTTP.            Solving PM is not something that I think that any of these protocols can do on their own.  Essentially PM is something that needs to be addressed at the TCP/IP level as I would suggest that any protocol using TCP/IP is subject to significant PM attack regardless of encryption.
> Note that I'm not necessarily arguing against https only.... I'm really just saying that to pretend that this gives any significant defence against PM is to over sell what it achieves or what can be achieved by any application protocol stand alone.
> It is indeed a problem, I just don't think we can put our hand up as being able to solve it.
> regards
> -- 
> Greg Wilkins <gregw@intalio.com> 
> http://eclipse.org/jetty HTTP, SPDY, Websocket server and client that scales
> http://www.webtide.com  advice and support for jetty and cometd.

Mark Nottingham   http://www.mnot.net/
Received on Friday, 15 August 2014 08:57:10 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 30 March 2016 09:57:10 UTC