Re: Response to HTTP2 expresions of interest from Willy Tarreau on 2012-07-14 (ietf-http-wg@w3.org from July to September 2012)

From: Willy Tarreau <w@1wt.eu>
Date: Sat, 14 Jul 2012 07:52:50 +0200
To: Tim Bray <tbray@textuality.com>
Cc: Poul-Henning Kamp <phk@phk.freebsd.dk>, James M Snell <jasnell@gmail.com>, Phillip Hallam-Baker <hallam@gmail.com>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Message-ID: <20120714055250.GN16256@1wt.eu>

On Fri, Jul 13, 2012 at 08:21:03PM -0700, Tim Bray wrote:
> On Fri, Jul 13, 2012 at 11:21 AM, Poul-Henning Kamp <phk@phk.freebsd.dk>wrote:
> 
> 
> > TLS communication today already have an envelope consisting of
> > IP# + TCP port numbers, and unless your adversary is totally
> > incompetent, he also has the DNS lookup that gave you that IP#.
> >
> > QED: Putting the "Host:" in the HTTP envelope does not leak any
> > information your adversary doesn't already have or can guess.
> >
> 
> That?s just not true.  There are lots of ways to get to a particular origin
> server, and I would think that for a malicious person in the middle, the
> Host header would be more interesting than the ostensible IP address.  On
> the other hand, I do understand why a payload-oblivious load balancer would
> need to see that header.  It is simply the case that we have two objectives
> which are apparently in conflict. No, I don?t have a solution (or even a
> strong opinion, yet, although I?m inclined to err on the side of protecting
> user privacy at the expense of almost all else).  -Tim

Well, TLS offers SNI which also reveals the Host header in clear text, so
your extreme view of privacy doesn't seem to be shared as much wich even
these guys. Also, building a protocol fortress that prevents anyone from
implementing it in real life is an effective way of protecting user privacy
since the user won't have access to anything and thus won't reveal his
intents. Maybe some people would even consider that revealing they have
access to the internet affects their privacy so they need an invisible
connection... At one point a limit must be set, otherwise it becomes
totally non-sense. Host and IP are reasonably interchangeable, are used
for routing the protocol to its destination, and if someone doesn't want
to show what host he's going to, he'd better leave the net. And if even
the TLS guys accept this, then I think this is a much acceptable limit.

Regards,
Willy

Received on Saturday, 14 July 2012 05:53:15 UTC