Bonjour, Montréal ! Third day of . ietf.org/how/meetings/105/

Today, for me, decentralization (DIN research group), privacy (PEAR research group) and both plenaries, the technical one on , and the administrative one with probably a heated discussion about the recent resignation of the editor and what to do next.

And we start the Decentralized Internet Reserach group with : and .

A typical problem of mesh networks is compensation: why giving network capacity gratis?

Their solution measures a lot of things (such as the amount of bytes) and put it in an blockchain. ("We tried HyperLedger but Ethereum works.")

And yet another presentation by a guy who thinks that adding "blockchain" to any system makes it decentralized. (And who clouds issues by spending a lot of time on unimportant technical details.)

Now, the serious things: "financial technology". Not a common subject at .

(Until now, this is only an institutional high-level talk. Why was it accepted by the Decentralized Internet Research Group?)

PEAR Research Group ()

First, Peter Snyder () on anti-standards. (Excellent talk.) Many Web standards create stuff that inform the server, allowing brower fingerprinting. To avoid this, you need to violate the standard.

Specially annoying is the case that these leaks address corner cases but are made available by default. And are impossible to remove.

He suggests to think more about privacy when designing Web standards. (Most examples are for W3C, not IETF.)

Suivre

Sandra Siby on encrypted : doing traffic analysis (spoiler: this attack is quite efficient)

In a closed-world (only known Web sites), 90 % precision, in an open-world, still 70 %. This is bad?

Padding of encrypted requests make no miracles, it just decreases the precision. (Unless you do hard padding, with a big constant size.)

Some slides titles at are surprising:

"Privacy-conscious monitoring"

Now, technical plenary at , on . Live at youtube.com/watch?v=VT4-xIZ-tN

Arvind Narayanan and Steve Bellovin on stage.

Ted Hardie introducing Bellovin: "He was on Usenet. You may have heard of that."

Narayanan talks (very fast) about privacy measurements.

" of Web browsers work because users going to the Panopticlick are self-selected: they have quite specific browsers, ordinary users are much more similar."

"Imperfect defenses are still useful" This is because we don't rely on technology alone to preserve . Technology must work hand-in-hand with politics, law, etc.

IoT devices are doing end-to-end encryption but the ends are the device and the company. The user is not in it.

Proposal: a debug mode allowing the user to dump the traffic of his smart gadgets in cleartext.

Now, Bellovin on stage mentioning old Jewish biblical texts about .

Recommandations for on : encrypt everything, avoid creating metadata, don't leave things unspecified (diversity means leakage).

Statistics for : 1079 participants onsite (from 48 countries) 147 beginners.

Hackathon : 280 onsite (biggest IETF hackathon), 42 projects.

@Clailou Ah non, il n'est que 18h40 ici. On a encore toute la discussion sur la crise du RFC editor.

report by Heather Flanagan. v3 format (with XML, pictures and Unicode) will be deployed this autumn (if running code runs).

But of course, it will depend on the new RFC editor. The current one stepped down, following an internal crisis, and will leave at the end of 2019. (Standing ovation for Heather.)

@bortzmeyer Oh wow, Heather is leaving the RFC Editor position??

@darius Unfortunately, yes, she resigned because of problems that we are going to discuss now.

@bortzmeyer I'm greatly appreciating your live blog, I'll try to keep an eye out for minutes too

Now, the discussion about the editor. Olaf Kolkman reminds us of RFC 6635, which describes the RFC Editor model. "The RFC editor turns Internet-Drafts into RFCs".

@bortzmeyer I think I'm getting a handle on it! Thank goodness for mailing list archives

Some remarks that seem common in the discussion about the editor crisis: the RFC editor model (RFC 6635) is too complicated, IETF particicipants were not informed of what was happening, and of the crisis (this changed this morning with the message "RSOC apology"), misunderstandings were many...

@bortzmeyer this view is a reflection of the #deathcult a #openweb path is the only option that might not pass through disaster #OMN

@bortzmeyer that would be a great idea,
AND I would start at the biggest "IOT" of all : the smartphone !!

indeed : in recent android phones, it's impossible to know what https queries apps are doing : biggest apps are doing SSL Certificate Pinning, therefore not allowing even a home-made (and system-accepted) CA :(

@bortzmeyer Will never happen. Companies will hide behind trade secrets and business contracts to never have to do that. It is exactly like: "Yes you can allow to accept or refuse cookies. But if you do not click Allow, nothing will work. Your choice." And governments will never force them to do that. I see more luck with the proposals from the CIRA guys: have at home 1 IOT gateway you control, and all stuff connects to it, and that gateway to the outside world. User back in full control.

@pmevzek In what way is it more realistic? Corporations will refuse that as well.

(Otherwise, I agree: really solving the problem will require ending capitalism.)

@bortzmeyer Because at least there is the possibility of "the market to decide". Users *may* have a choice between device A working that way, and device B not that way. At least some of them can choose A, as some companies may see the way to profit from that case and why interoperability could help. Of course, it is known that users do not base their buying choice on security/privacy features first. And interoperability is both difficult on technical and non technical aspects.

Inscrivez-vous pour prendre part à la conversation
Mastodon - Gougère Network

Vive les gougères ! mnt-by: @yapret @papaeng89