Re: HTTP/2 and Pervasive Monitoring from Mark Nottingham on 2014-08-15 (ietf-http-wg@w3.org from July to September 2014)

From: Mark Nottingham <mnot@mnot.net>
Date: Fri, 15 Aug 2014 18:56:40 +1000
To: Greg Wilkins <gregw@intalio.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <DE8B5174-864A-4514-B2DC-6F1742535A8C@mnot.net>

Greg - please have a read of the BCP, which says some things that are very similar to your statements.

No protocol effort can claim to “solve” it — it would be ludicrous to say we could — but by the same token, we can’t (as per the BCP) bury our heads in the sand and not consider the PM-related consequences of our protocol design.

 (I think we’re in violent agreement here)

Cheers,


On 15 Aug 2014, at 4:00 pm, Greg Wilkins <gregw@intalio.com> wrote:

> 
> On 15 August 2014 12:58, Mark Nottingham <mnot@mnot.net> wrote:
> It's safe to say that pervasive monitoring is very relevant to HTTP.
> 
> I'm not so sure about this.
> 
> The vast bulk of PM issues, at least as they are discussed in Australia are related to the collection and retention of meta data.  Who you talked to, when you connected, how much data, who you connected to next, etc.      While I'm sure inspection of content is also an issue, it is secondary to the meta data issues.  Also many of the players involved in PM attacks have access to the unencrypted end points, so transport encryption is a long way off being a silver bullet for protection from PM
> 
> There is very little that we can do within a protocol like HTTP to address the such meta data collection.     More over, the problems that we face are similar to PM issues that other application protocols face.  SMTP, POP, IMAP, Websocket, IRC, SIP etc. all need similar protection as HTTP.            Solving PM is not something that I think that any of these protocols can do on their own.  Essentially PM is something that needs to be addressed at the TCP/IP level as I would suggest that any protocol using TCP/IP is subject to significant PM attack regardless of encryption.
> 
> Note that I'm not necessarily arguing against https only.... I'm really just saying that to pretend that this gives any significant defence against PM is to over sell what it achieves or what can be achieved by any application protocol stand alone.
> 
> It is indeed a problem, I just don't think we can put our hand up as being able to solve it.
> 
> regards
> 
> 
> 
> 
> -- 
> Greg Wilkins <gregw@intalio.com> 
> http://eclipse.org/jetty HTTP, SPDY, Websocket server and client that scales
> http://www.webtide.com  advice and support for jetty and cometd.

--
Mark Nottingham   http://www.mnot.net/

Received on Friday, 15 August 2014 08:57:10 UTC