It's investigation time! HTTP/2, AltSvc and SSL

[ghost]

TBB enabled both HTTP/2 and Alternative Services on the release channel in September, following two audits : HTTP/2 and AltSvc. It is indicated that these protocols no longer pose a threat to privacy when FPI is enabled. Therefore, I suggest we consider commenting the related prefs (0702, 0703) and add a warning that they need FPI enabled to be safe, privacy-wise. However, @Thorin-Oakenpants 👖 raised a fair point in #107:

I think SSL session ticket ids is closely related. The thing is TBB is different - it uses tor and changes circuits (I'd have to check now, but it used to be every 10 minutes)

It would be kinda cool to know if SSL session tickets are required for HTTP2 and AltSrv, because that's the overriding factor in even allowing them in the first place. Currently FF only wipes SSL sessions on FF (or last PB mode) close, otherwise it allows up to 2 days (and I'm not sure if it respects that, eg if a site says the id is valid for 5 days, what does FF do, and vice versa if the site says its shorter)

As the title states, it's investigation time! Does anyone know who we could reach out to to get an answer? Could some experts share their insights on the matter?

P.S.: Now THIS would be a perfect issue for your "NEEDS JESUS" label, @claustromaniac! :cat2: Also, can I add the "help wanted" label or that restricted to the big E and 👖 ?

[ghost]

Thanks, @Thorin-Oakenpants

The problem with GitHub is that it's not possible to search terms within the issues, only code. I searched for SuperCooKey in this repository's homepage and was answered:

We couldn’t find any code matching 'SuperCooKey' in ghacksuserjs/ghacks-user.js

Bothers me as much as it may bother you or anyone giving the direction. I do try to find the best topic for posting but impossible to know where a given comment, subject has been handled. Bothers me on every GitHub repository.

Thanks, #536, noted.

[Thorin-Oakenpants]

searching works fine for me. It says it can't find any CODE ... you just need to look on the left and you will see it has a counter for Issues

[ghost]

Got it, thanks again @Thorin-Oakenpants To be noted nevertheless that it doesn't find SuperCooKey if the query is cookey, but at least there's an echo for issues. The whole place is really intended for coders, not really user-friendly. Anyway no doubt I should have spotted this.

[earthlng]

@Aeriem thank you very much for getting us some quality answers from GeKo!

I strongly believe we should enable 702 and 703, both for speed and compatibilty, especially given that it is safe, security and privacy-wise.

• speed is not a priority
• compat: I have never encountered a single page that didn't work without H2. Facebook apparently broke for a while but maybe they fixed/relaxed that again IDK and I don't care about Facebook anyway. Fuck FB! #deletefacebook Yes it's only gonna get worse but atm compat is not really an issue.
• safe: it's probably safe security-wise but I'm not so sure about privacy. There are still things nobody really looked at in detail AFAIK, not just here but in general. fe TB disabled server push when they enabled H2 and Arthur also wrote

  PING or SETTINGS updates timing side-channels are something I am not addressing here. I think they could do with further investigation.

and then there's multiplexing which AFAIK can also mean potentially using the same connection for different domains. fe. let's take our good friend Cloudflare and let's say VPN user A accesses foo.bar which is CF-protected and happens to have the same CF cert as example.com. When A accesses both these domains (or any number of other domains with the same cert), CF will now know (thanks to H2) that VPN user A is accessing both foo.bar and example.com because it's using the same connection to the same middlebox at CF. But again, that's AFAIK and just based on my very limited knowledge of things. I could be totally wrong!

[earthlng]

somewhat related: the risk for replay attacks with 0-RTT is also pretty low because FF only uses it for GET, HEAD and OPTIONS requests and the performance benefits are probably higher than H1 vs H2. The only risk is with badly designed sites which send sensitive data like payments or whatnot with GET instead of POST. Yes it also breaks perfect-forward-secrecy but obviously nobody at mozilla, google, etc thinks that's bad enough to warrant disabling it by default. We'll see what TB does when they enable TLS1.3. Should we also enable 0-RTT? Same reasons: low risk, performance, hide in the crowd

[ghost]

I know it's up to everyone to make and assume his choices and I'm no exception. Nevertheless may I ask you, @earthlng , if you will keep 702 & 703 as they are now (disabled, that is not commented) or if you'll dive whatever the multiplexing which is behind and which has all my attention? Just to know, I won't go around saying, writing "earthlng this, earthlng that' :=)

[earthlng]

FYI: Remember those annoying JS-enforcing captchas when trying to access one of the couple millions of CF-protected pages over Tor? They're now gone (for the most part) because tor implemented something that lets CF (and everyone else) identify tor clients by a channel-id. Plus, thanks to H2+AltSvc, CF customers can enable an option (default is enabled if I remember correctly) to redirect tor users to an onion address for their site (hosted by CF of course). But the captchas are gone regardless of whether H2+AltSvc are enabled or not

[earthlng]

@StanGets I'll keep H2+AltSvc disabled, at least for now.

I dislike H2 in general. It didn't solve anything that couldn't have been done in a better way with just H1 and without all the unnecessary shit. Instead it introduced new problems and in some aspects is just straight up worse. see fe http://blog.gfader.com/2017/05/5-things-i-learned-about-http2-in.html

and also this again: https://queue.acm.org/detail.cfm?id=2716278

Some will expect a major update to the world's most popular protocol to be a technical masterpiece and textbook example for future students of protocol design. Some will expect that a protocol designed during the Snowden revelations will improve their privacy. Others will more cynically suspect the opposite. There may be a general assumption of "faster." Many will probably also assume it is "greener." And some of us are jaded enough to see the "2.0" and mutter "Uh-oh, Second Systems Syndrome."

The cheat sheet answers are: no, no, probably not, maybe, no and yes.

If that sounds underwhelming, it's because it is.

HTTP/2.0 is not a technical masterpiece. It has layering violations, inconsistencies, needless complexity, bad compromises, misses a lot of ripe opportunities, etc.

[ghost]

I've just read the two articles you mentioned, @earthlng . Impressive.

As many of us but certainly not as all I favor security, then privacy (though both are often tied), and speed only after.

If disabling HTTP2 and AltSrv has no impact on security & privacy (and from what I've read in those articles as well as here and elsewhere it'd rather be the opposite) but only on a slight speed improvement (and yet, depending on the servers) then I couln't consider an intellectual/psychological addiction to modernism as a valid reason to honor http2 and AltSrv blindly.

Unfortunately I'm far from knowing enough in this networks area to take some decisions fully aware of their implications, so I guess I'll rely on the opinion of those who obviously have a stronger background than mine, staying tuned to read their opinions throughout time. All this is so complex.

Thanks for sharing and of course thanks for your user.js (which started it all) and its continuation within this repository. Some of us don't see the iceberg, some see it and believe it's all in what they see, and once you dig (or dive) you realize the immensity of what is below.

[ghost]

@earthlng You're most welcome, I'm really glad I got to help out a bit! Never hesitate to ask me when I can do such simple things. It's really a time issue, which you both lack, with @Thorin-Oakenpants. After reading the articles you linked, I understand that the complexity of it all doesn't allow us to enable those protocols until further auditing is done. Let's hope HTTP/3 learns from these mistakes and brings us all a new standard on security, privacy and performance. Also, when I mentionned speed, I did say it was an absolute NON-priority! (Just a bit further up the issue.) This user.js is about security and privacy, not perf enhancements, I'm not losing sight of things, don't worry! :)

[Thorin-Oakenpants]

Earthlng

compat: I have never encountered a single page that didn't work without H2. Facebook apparently broke for a while but maybe they fixed/relaxed that again IDK and I don't care about Facebook anyway.

Yes it's only gonna get worse but atm compat is not really an issue.

Me

As for HTTP2-only sites, IMO they would be super rare. Any site that did that would be shooting themselves in the foot. We could probably sit on this for a couple of years with no issues.

and just for good measure, hackerfactor

Really? HTTP/1.0 was replaced by HTTP/1.1 back in January 1997. (That's nearly 22 years ago, for people who need more fingers and toes.) Every web server out there still supports HTTP/1.0.

While HTTP/3 will be widely adopted someday, it's certainly not going to drop support for HTTP/1.1 in the next few years.

Newer HTTP/1.1 server supports spdy. spdy was replaced by http2, and http2 is being replaced by HTTP/3. But even servers that support spdy or http2 still support plain old HTTP/1.1.

I really don't think compat is an issue, not for years, if not a decade

[Thorin-Oakenpants]

@Aeriem - thanks for digging into this and chatting with GeKo. It certainly enlightened me as to how Tor Browser model the threat - I never knew they didn't auto-New Identity after x time, but I did know that they have relaxed "standards" over session data. From lots of previous reading etc, I know that FPI is their holy grail and they want to enable third party cookies, etc - because they are relying on the Tor protocol and that in itself, that is anonymized web traffic.

Still ... they don't seemed concerned about session data.

I'll close this: As said elsewhere, I have my own mechanism to chase up on and try to affect a SSL session id expiry better than 24 hours. The problem is they have no API/ internal call for it (from reading open bugzillas from 5-10 years ago). NFI how they expire it after 24 hrs then!

The info & discussion gained from here will be input into #571

Thanks creepy stalker guy :kiss:

[Atavic]

I could be totally wrong!

For me, you're mostly right @earthlng

Regarding speed, the improvement is minimal, here are some real numbers, scroll down to Performance Compared to TLS 1.2

Regarding multiplexing, any group with many data-centers will do that. M0zilla included.