W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2013

Re: Adding Security Considerations regarding interception to p1

From: Peter Occil <poccil14@gmail.com>
Date: Tue, 17 Sep 2013 22:30:24 -0400
Message-ID: <AFBC6493674A4DDCBADD84590D462519@PeterPC>
To: "Mark Nottingham" <mnot@mnot.net>
Cc: "HTTP Working Group" <ietf-http-wg@w3.org>
I support this.  However, as written, some of the text is poorly worded:

"Nevertheless, servers ought to carefully consider the privacy implications 
of using HTTP without encryption (i.e., using TLS [RFC2818]), preferring its 
use where there is any potential for access to be considered sensitive."

Here, "its use" may be misunderstood to mean "the use of HTTP without 
encryption", which is almost certainly not the intent.  Maybe this will work 
better:

"Nevertheless, servers ought to carefully consider the privacy implications 
of using HTTP without encryption, preferring the use of encryption (such as 
TLS [RFC2818]) where there is any potential for access to be considered 
sensitive."

--Peter

-----Original Message----- 
From: Mark Nottingham
Sent: Tuesday, September 17, 2013 9:30 PM
To: IETF HTTP WG
Subject: Adding Security Considerations regarding interception to p1

In Berlin, we discussed the implications of HTTP's use of encryption upon 
privacy, in light of recent developments. See:
  <http://www.ietf.org/proceedings/87/slides/slides-87-httpbis-3.pdf>

One of the proposals that got strong support in the room (i.e., very loud 
hum in favour, only a few humming in dissent) was adding text to Security 
Considerations in HTTP/1.1 to indicate the privacy implications of running 
without encryption.

We are very nearly ready for IETF Last Call -- possibly days away.  So, my 
inclination is to see if we can achieve consensus to add some text in a 
reasonable amount of time.

Based on the discussion in Berlin, I've come up with proposed text for a new 
subsection of Security Considerations in p1. Please have a look below and 
indicate if you think it's a good idea to add this, disagree with adding it, 
or have an alternative that you think can gain consensus more easily.

Be warned -- I don't want to rathole on this, and the easiest thing to do is 
not to add anything.

---8<---

Interception and Privacy

Common use of HTTP often contains a considerable amount of Personally 
Identifying Information; this might include cookies [RFC6265], application 
data, and even patterns of access.

If used without encryption, HTTP makes this data vulnerable to passive 
interception. There are known instances when third parties have exploited 
the in-the-clear nature of "http://" URIs to obtain sensitive information, 
for a variety of purposes. Use of TLS [RFC2818] can mitigate such passive 
interception attacks.

Moreover, like other clear text protocols, HTTP/1.1 is subject to an active 
man-in-the-middle attack.  That is, it is possible for an intermediary
device to terminate a client TCP connection and respond as if it had the IP 
address of the intended HTTP server.  An attacker may insert or delete 
content or redirect the client to a completely different web site. 
Encryption [RFC2818] may or may not mitigate this form of attack, depending 
on the client and individual behaviors.

HTTP/1.1 does not make any particular security mechanism -- including 
encryption -- Mandatory to Implement, as its deployment pre-dated [RFC3631]. 
Nevertheless, servers ought to carefully consider the privacy implications 
of using HTTP without encryption (i.e., using TLS [RFC2818]), preferring its 
use where there is any potential for access to be considered sensitive.

--->8---

Regards,

--
Mark Nottingham   http://www.mnot.net/
Received on Wednesday, 18 September 2013 02:31:53 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:15 UTC