> So, I think understanding how permasive monitoring enables these other > attacks is very much in scope for the high-level picture and is > definitely something the March workshop should consider. > It's also the sort of analysis I'd expect people to look into when doing > security considerations sections after the passive threat BCP is > approved.
The basic point is that it is fairly easy for agencies with wide monitoring capabilities to observe third party cookies, and to associate them with user identities. Once you have that, you can identify the IP address of the target, and start prepping for the injection. To mount an active attack, you only need to observe the SYN packet, and immediately send a SYN-ACK, a DATA packet containing the HTTP Redirect, and a FIN. You don't need to actually receive the ACK from the remote site. If you beat the race against the actual web site, you win. And you can certainly do that "from the side," you just need to find a router that will let you inject packets without checking the origin address. After that, up to your imagination. Targets are unlikely to find out that one of dozen or so trackers on the web page was redirected. Or thFor exat it downloaded some exploit... I don't think we will be able to eradicate clear text HTTP, but we can certainly limit the damage and create momentum. For example, we could assume that any clear text HTTP connection is untrusted, and ask browsers to treat them as such. No cookies, no scripts, definitely no download. That would be a nice way to push sites towards HTTPS. The various trackers will probably be the first to move... -- Christian Huitema _______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
