Audit HTTP/2 and SPDY if needed

HTTP/2 is enabled in Firefox 38. We should make sure it adheres to our design specifcation. If not we need to either patch the problematic things or switch them of via preferences. Related: #6101 (moved) and #4100 (moved).

added TorBrowserTeam201808R component::applications/tor browser ff60-esr owner::tbb-team priority::very high resolution::fixed severity::normal status::closed tbb-linkability tbb-performance tbb-usability-website type::task labels

Keep possible timing vectors wrt PING and SETTINGS frames in mind.

Trac:
Description: HTTP/2 is enabled in Firefox 38. We should make sure it adheres to our design specifcation. If not we need either patch the problematic things or switch them of via preferences. Related: #6101 (moved) and #4100 (moved).

to

HTTP/2 is enabled in Firefox 38. We should make sure it adheres to our design specifcation. If not we need to either patch the problematic things or switch them of via preferences. Related: #6101 (moved) and #4100 (moved).

Trac:
Cc: N/A to mcs

Looking over Georg and my mails with Mark Nottingham, our concerns then were:

1. Long-lived connections, especially without proper first party isolation in terms of connection re-use.
2. We probably want to disable server push, due to cache inference attacks (see: https://gnunet.org/sites/default/files/uzunov2013torspdy.pdf section 6.3.2)
3. PING and SETTINGS timing side channels.

I had this to say about PING and SETTINGS:

Relatedly, I'm somewhat worried about the bidirectional nature of PING and SETTINGS from the tor-specific perspective. Because these can be sent async by the server and are acked immediately by the client, they might be able to introduce a timing signature by the server beyond what is contained in response to active requests from the client.. Granted, such things are possible with Javascript (or even by simply shoving a bunch of junk inside an html comment in a hidden element), but people are able to disable Javascript, and static content-based mechanisms will also show load progress indication in the UI.

Therefore, In Tor Browser, I'd be tempted to close the connection if I got more than some frequency of PING or SETTINGS updates from the server, especially in the absence of other activity.

Mark said that closing such connections seemed fine, but we'd have to be careful about content elements just reopening them either through JS or dynamic CSS-based element loads. One option for that is to disable browser-based JS/HTML network activity in inactive tabs using Firefox's request filter APIs.

We also discussed playing with HTTP/2's various batching and padding parameters as another possible defense against website traffic fingerprinting, but I'm not sure there is enough there already to make this very useful beyond the types of things that our pipelining defense already does, and we still need more research in this area to know what we'd want to add/change and how. He suggested waiting for HTTP/3 for requesting such things in spec form, since there will be resistance to late spec changes that may change cost profiles for the server side, especially for deployment (since that has already begun).

Note: don't forget the keep-alive audit for SPDY (see: #4100 (moved)).

Trac:
Priority: normal to major

Tag the set of things that are risky to debut in the 5.0-stable release without testing in a prior alpha.

Trac:
Keywords: N/A deleted, tbb-5.0a-highrisk added

Ensure all tbb-5.0a items are on the June radar.

Trac:
Keywords: N/A deleted, TorBrowserTeam201506 added

Trac:
Owner: tbb-team to mikeperry
Status: new to assigned
Keywords: N/A deleted, MikePerry201506 added

I pushed prefs to disable HTTP/2 for 5.0a3. I took a quick look at the source code, and the HTTP/2 implementation in Firefox is heavily dependent on the SPDY implementation.. We're probably going to have to review both HTTP/2 and SPDY v3.1 as a result. :/

Move over remaining June items to July

Trac:
Keywords: TorBrowserTeam201506 deleted, TorBrowserTeam201507 added

Move my tickets over for July

Trac:
Keywords: MikePerry201506 deleted, MikePerry201507 added

Tag some 5.0a4 goals.

Trac:
Keywords: N/A deleted, tbb-5.0a4 added

Trac:
Cc: mcs to mcs, dcf@torproject.org

Trac:
Keywords: TorBrowserTeam201507 deleted, TorBrowserTeam201508 added

I am pretty much done with this audit. I need to write this up and file one or more tickets for support.

This is not a 5.0 item. We won't be able to do this by 5.0.

Trac:
Keywords: ff38-esr, tbb-5.0a4, tbb-5.0a-highrisk, MikePerry201507 deleted, MikePerry201508 added

Move remaining August tickets to September.

Trac:
Keywords: TorBrowserTeam201508 deleted, TorBrowserTeam201509 added

Moving Tor Browser tickets to October 2015.

Trac:
Keywords: TorBrowserTeam201509 deleted, TorBrowserTeam201510 added

Trac:
Keywords: TorBrowserTeam201510 deleted, TorBrowserTeam201511 added