W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2019

Re: New Draft: draft-ohanlon-transport-info-header

From: Patrick McManus <mcmanus@ducksong.com>
Date: Mon, 2 Dec 2019 08:50:24 -0500
Message-ID: <CAOdDvNp0GKs5NNs2LkJkiAyWMYbc2DOAKAAxXLMjeSDVLBMHqQ@mail.gmail.com>
To: "Piers O'Hanlon" <piers.ohanlon@bbc.co.uk>
Cc: Patrick McManus <mcmanus@ducksong.com>, Lucas Pardue <lucaspardue.24.7@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>
On Tue, Nov 26, 2019 at 12:12 PM Piers O'Hanlon <piers.ohanlon@bbc.co.uk>

> Sure - I guess I didn’t put it very well - I was trying to say that the
> Transport-Info header would be only be transferred between that CDN edge
> and the client - it’s a hop-by-hop heade'''

h2 doesn't have hop to hop headers. it has per stream frames though.

> r - for the last last hop.

how does one know they are the last hop?

what have you have described the side channel isn’t clear to me?
> >
> >
> > obviously the HTTP protocol is aware of this sharing - indeed it
> initiates it! but the ramifications of it are generally opaque to the
> semantics of HTTP exchanges (roughly expressed by headers and messages). So
> perhaps what you want is better carried in the protocol (e.g. as a frame)..
> if you are proposing exposing it to content it needs to be scrutinized for
> the same reason that it is useful. This can be subtle - see CRIME and
> BREACH for example.
> >
> Yes I had considered that frame based transport might be better but what
> is also required is to extract the transport/flow information for that
> stream - but if one could do that then it would potentially be ok to
> transport it in a header as the issue is that there is access to shared
> state.

there is a significant difference between information available to the
protocol implementation and information in the semantic header layer which
is available to javascript. The latter is held to a higher level of
isolation due to the security model of javascript.

> Also for H2/3 since this is an issue about transport rate the fact padding
> is used on each connection

padding is not really a common thing at scale and there is some controversy
over how helpful it is.

> means that there is always going to be some uncertainty introduced by
> padding in such attack. Such an attack where one flow to try to learn about
> another flow it would need to calculate it’s own portion of the flow so it
> could subtract it from the total flow rate provided by the header but’s
> going to be limited by not knowing about the padding.
I think your best argument is going to be that this side channel isn't very
meaningful for what you are reporting - but arguing that there isn't a side
channel is not going to work out well long term. The attacker is always
better motivated and more clever than your defense. Here's a fun one:
https://www.usenix.org/node/217606 from ietf 106

> Another potential mitigation technique would be to add some noise to the
> measurements which would make it harder for collusion to occur with
> coordinated attacks. The choice of the level of noise could be a function
> of the number of flows the server knows are sharing the connection, or
> maybe just some randomness so that two simultaneous requests don’t obtain
> the same result - although in practice they’re not going to obtain the same
> result as the connection parameters are constantly changing, although such
> random noise could mitigate attempts to compare trends.
Received on Monday, 2 December 2019 13:50:42 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:15:43 UTC