Re: Request to Charter a New Working Group: Oblivious HTTP (OHTTP)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Eliot Lear <lear@xxxxxxx> wrote:
    > Is this same service going to further harm clients by making it even more
    > difficult to block known malicious web sites?  Not only would a local
    > deployment not be able to do this, but proxies themselves wouldn't be able to
    > spot malware.  Combine that with some rather impressive phishing capabilities
    > of bad actors, and aren't we just hamstringing our ability to put down
    > malware attacks?

Without taking a position on the fundamental questions you ask, my
understanding is that the proxy would be run by an entity that had a lot of
properties, and that wished to provide pseudonymous access to them.
Candidates that I can think of would include: google, godaddy, azure, ec2,
cloudflare, *.gov, *.gc.ca, wordpress hosting companies, ... and that the target
properties would be configured with some trust in the proxy system.

> If what we are doing is
> standardizing tooling and providing libraries for BOTnets to operate against
> web sites, where the web site has no recourse when it is attacked, then why
> would anyone implement this? 

Given the relationship that I assuming above, then the web sites would be
able to communicate back to the proxy, and would be able to kill traffic
there.

BUT: A concern that I have is that in the already very assymetrical
     relationship between big property owners and small ones, this protocol
     makes it even more uneven.

So I would urge us to get a clear idea of what the possible costs of this
protocol are.  What are the benefits?  Like your blog and facebook questions
about Tor, I'm not convinced that the privacy benefits of this are large.

I didn't think oblivious-DNS was particularly useful either, because it was
basically just turning stub resolvers into mutated full resolvers, without
actually teaching them to do DNSSEC.   If they could do DNSSEC, then we could
trust answers from any place, and then we could do some kind of p2p DNS
queries to get better anonymization (and probably, more resiliency for DNS).


--
Michael Richardson <mcr+IETF@xxxxxxxxxxxx>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide

Attachment: signature.asc
Description: PGP signature

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Mhonarc]     [Fedora Users]

  Powered by Linux