Re: 2 questions from Maxthon Chan on 2015-03-31 (ietf-http-wg@w3.org from January to March 2015)

From: Maxthon Chan <xcvista@me.com>
Date: Wed, 01 Apr 2015 05:48:41 +0800
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Cc: Adrien de Croy <adrien@qbik.com>, Xiaoyin Liu <xiaoyin.l@outlook.com>, Dan Anderson <dan-anderson@cox.net>, "Walter H." <walter.h@mathemainzel.info>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-id: <74DB488E-2217-4984-ADAF-E9B4098C0B0A@me.com>

Let’s just say that a certain ISP (or rather, ISPs backed by government agency) in a certain country MITM 100% of all kinds of plaintext traffic, and they disrupt all kinds of encrypted traffic. If HTTP/2 cannot survive such MITM this will effectively disconnect a whole country from the Web.

Let’s just say this will make that certain government agency very happy, since they no longer need to censor anything, as the Web censored itself.

> On Mar 31, 2015, at 09:00, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote:
> 
> 
> 
> On 31/03/15 01:07, Adrien de Croy wrote:
>> 
>> With MitM all bets are off
> 
> Seems to me that claims of the prevalence of MitM are
> somewhat exaggerated. The last study I recall of those
> in the wild found about 0.41% of requests affected. [1]
> 
> So I think any argument of the form "don't do X to try
> be more secure or private, since the prevalence of MitM
> implies X is pointless" ought be considered bogus at the
> ~99.5% confidence level, at least according to [1].
> 
> I also note that [1] found that those few unfortunate
> victims of the MitM attack are terribly served between UA
> and MitM as they saw a bunch of short RSA keys (with no PFS)
> used. And one would expect that to be the case as a supposedly
> "benevolent" MitM will generally decide to prefer crap
> security so that their always-negative performance impact
> is minimised. (Seeing commensurate security on both sides
> of the MitM might even be considered as indicative that
> the MitM is more likely malicious and not benevolent? I've
> not seen that measurement so far as I recall, so I'm just
> speculating there.)
> 
> Are there better studies out there with better figures?
> 
> If not and 0.41% of crappy security that you get with real
> deployments of MitM's is the norm, then we ought be more than
> ignoring the MitM deployments - we all (and browsers!) should
> be yelling loudly about 'em as we trip over their victims.
> 
> Cheers,
> S.
> 
> [1] http://arxiv.org/abs/1407.7146
> 
>

Received on Tuesday, 31 March 2015 21:49:15 UTC