Re: HTTP/2 and Pervasive Monitoring

On 15 August 2014 12:58, Mark Nottingham <mnot@mnot.net> wrote:

> It's safe to say that pervasive monitoring is very relevant to HTTP.


I'm not so sure about this.

The vast bulk of PM issues, at least as they are discussed in Australia are
related to the collection and retention of meta data.  Who you talked to,
when you connected, how much data, who you connected to next, etc.
While I'm sure inspection of content is also an issue, it is secondary to
the meta data issues.  Also many of the players involved in PM attacks have
access to the unencrypted end points, so transport encryption is a long way
off being a silver bullet for protection from PM

There is very little that we can do within a protocol like HTTP to address
the such meta data collection.     More over, the problems that we face are
similar to PM issues that other application protocols face.  SMTP, POP,
IMAP, Websocket, IRC, SIP etc. all need similar protection as
HTTP.            Solving PM is not something that I think that any of these
protocols can do on their own.  Essentially PM is something that needs to
be addressed at the TCP/IP level as I would suggest that any protocol using
TCP/IP is subject to significant PM attack regardless of encryption.

Note that I'm not necessarily arguing against https only.... I'm really
just saying that to pretend that this gives any significant defence against
PM is to over sell what it achieves or what can be achieved by any
application protocol stand alone.

It is indeed a problem, I just don't think we can put our hand up as being
able to solve it.

regards




-- 
Greg Wilkins <gregw@intalio.com>
http://eclipse.org/jetty HTTP, SPDY, Websocket server and client that scales
http://www.webtide.com  advice and support for jetty and cometd.