Re: SSL/TLS everywhere fail from Mark Nottingham on 2015-12-06 (ietf-http-wg@w3.org from October to December 2015)

From: Mark Nottingham <mnot@mnot.net>
Date: Sun, 6 Dec 2015 11:30:24 +1100
To: Jacob Appelbaum <jacob@appelbaum.net>
Cc: Poul-Henning Kamp <phk@phk.freebsd.dk>, Cory Benfield <cory@lukasa.co.uk>, Adrien de Croy <adrien@qbik.com>, Mike Belshe <mike@belshe.com>, Amos Jeffries <squid3@treenet.co.nz>, httpbis mailing list <ietf-http-wg@w3.org>
Message-Id: <12AA7665-8F99-43EE-AA12-2B45CE4D6D73@mnot.net>

On 6 Dec 2015, at 2:10 am, Jacob Appelbaum <jacob@appelbaum.net> wrote:
> 
> I think we need a viable replacement for TLS where it is harder to
> censor - layer violations ensure that an attacker can just TCP reset,
> while off-path. TLS 1.3 with DTLS may be much harder to censor, for
> example.
> 
>> 
>> No, it won't be plug in, and no, it may not make people the same
>> amount of money as usual.  But it *might* push our political
>> agenda forward as a means of "civil disobedience".
> 
> I generally think that this is a good idea but it also misses a
> critical pressure point: when we all use similar protocols, we can
> help each other by blending in at the network level.

Since we're talking about censorship evasion, folks might be interested in this:

<https://www.cachebrowser.info/>

"""
CacheBrowser is a system designed to help Internet users bypass Internet censorship.

The core idea of CacheBrowser is to grab censored content cached by Content Delivery Networks such as Akamai and CloudFlare directly from their CDN edge servers, therefore, foiling censors' DNS interference.
"""

I'm wondering (and that's just me, not speaking for my employer or anyone else) if there's something that can be done to make this a bit easier (and operate more smoothly); e.g. a format that lists DNSSEC assertions about delegations to a third party (like a CDN). 

Also, I've been working on a straw-man H2 extension in the background to tunnel IP over H2 (insert joke here). The idea being that if the connection doesn't have any discriminators vs. a normal HTTP one, any Web site could potentially be a VPN endpoint. It's true that traffic analysis is still possible, but it's a lot harder with multiplexing and padding. See:
 http://mnot.github.io/I-D/h2-vpn/
So far, I've had a few expressions of interest from non-browser implementers, but I think it needs to be built into browsers to avoid incidental discriminators. 

Cheers,

--
Mark Nottingham   https://www.mnot.net/

Received on Sunday, 6 December 2015 00:30:59 UTC