In this design, a
Client wishes to make a request to an
Oblivious Gateway Resource that is forwarded to a
Target Resource. The Client wishes to make this request without linking that request with either of the following:
-
The identity at the network and transport layer of the Client (that is, the Client IP address and TCP or UDP port number the Client uses to create a connection).
-
Any other request the Client might have made in the past or might make in the future.
In order to ensure this, the Client selects a relay (that serves the
Oblivious Relay Resource) that it trusts will protect this information by forwarding the Encapsulated Request and Response without passing it to the server (that serves the Oblivious Gateway Resource).
In this section, a deployment where there are three entities is considered:
-
A Client makes requests and receives responses.
-
A relay operates the Oblivious Relay Resource.
-
A server operates both the Oblivious Gateway Resource and the Target Resource.
Section 6.10 discusses the security implications for a case where different servers operate the Oblivious Gateway Resource and Target Resource.
Requests from the Client to Oblivious Relay Resource and from Oblivious Relay Resource to Oblivious Gateway Resource
MUST use HTTPS in order to provide unlinkability in the presence of a network observer.
To achieve the stated privacy goals, the Oblivious Relay Resource cannot be operated by the same entity as the Oblivious Gateway Resource. However, colocation of the Oblivious Gateway Resource and Target Resource simplifies the interactions between those resources without affecting Client privacy.
As a consequence of this configuration, Oblivious HTTP prevents linkability described above. Informally, this means:
-
Requests and responses are known only to Clients and Oblivious Gateway Resources. In particular, the Oblivious Relay Resource knows the origin and destination of an Encapsulated Request and Response, yet it does not know the decrypted contents. Likewise, Oblivious Gateway Resources learn only the Oblivious Relay Resource and the decrypted request. No entity other than the Client can see the plaintext request and response and can attribute them to the Client.
-
Oblivious Gateway Resources, and therefore Target Resources, cannot link requests from the same Client in the absence of unique per-Client keys.
Traffic analysis that might affect these properties is outside the scope of this document; see
Section 6.2.3.
A formal analysis of Oblivious HTTP is in [
OHTTP-ANALYSIS].
Because
Clients do not authenticate the
Target Resource when using Oblivious HTTP, Clients
MUST have some mechanism to authorize an
Oblivious Gateway Resource for use with a Target Resource. One possible means of authorization is an allowlist. This ensures that Oblivious Gateway Resources are not misused to forward traffic to arbitrary Target Resources.
Section 6.3 describes similar responsibilities that apply to Oblivious Gateway Resources.
Clients
MUST ensure that the
key configuration they select for generating
Encapsulated Requests is integrity protected and authenticated so that it can be attributed to the Oblivious Gateway Resource; see
Section 3.
Since Clients connect directly to the
Oblivious Relay Resource instead of the Target Resource, application configurations wherein Clients make policy decisions about target connections, e.g., to apply certificate pinning, are incompatible with Oblivious HTTP. In such cases, alternative technologies such as HTTP CONNECT ([
HTTP]) can be used. Applications could implement related policies on key configurations and relay connections, though these might not provide the same properties as policies enforced directly on target connections. Instead, when this difference is relevant, applications can connect directly to the target at the cost of either privacy or performance.
Clients cannot carry connection-level state between requests as they only establish direct connections to the relay responsible for the Oblivious Relay Resource. However, the content of requests might be used by a server to correlate requests. Cookies [
COOKIES] are the most obvious feature that might be used to correlate requests, but any identity information and authentication credentials might have the same effect. Clients also need to treat information learned from responses with similar care when constructing subsequent requests, which includes the identity of resources.
Clients
MUST generate a new HPKE context for every request, using a good source of entropy [
RANDOM] for generating keys. Key reuse not only risks requests being linked but also could expose request and response contents to the relay.
The request the Client sends to the Oblivious Relay Resource only requires minimal information; see
Section 5. The request that carries the Encapsulated Request and that is sent to the Oblivious Relay Resource
MUST NOT include identifying information unless the Client can trust that this information is removed by the relay. A Client
MAY include information only for the Oblivious Relay Resource in header fields identified by the
Connection header field if it trusts the relay to remove these, as required by [
HTTP]. The Client needs to trust that the relay does not replicate the source addressing information in the request it forwards.
Clients rely on the Oblivious Relay Resource to forward Encapsulated Requests and Responses. However, the relay can only refuse to forward messages; it cannot inspect or modify the contents of Encapsulated Requests or Responses.
The relay that serves the
Oblivious Relay Resource has a very simple function to perform. For each request it receives, it makes a request of the
Oblivious Gateway Resource that includes the same content. When it receives a response, it sends a response to the
Client that includes the content of the response from the Oblivious Gateway Resource.
When forwarding a request, the relay
MUST follow the forwarding rules in [
HTTP]. A generic HTTP intermediary implementation is suitable for the purposes of serving an Oblivious Relay Resource, but additional care is needed to ensure that Client privacy is maintained.
Firstly, a generic implementation will forward unknown fields. For Oblivious HTTP, an Oblivious Relay Resource
SHOULD NOT forward unknown fields. Though Clients are not expected to include fields that might contain identifying information, removing unknown fields removes this privacy risk.
Secondly, generic implementations are often configured to augment requests with information about the Client, such as the Via field or the Forwarded field [
FORWARDED]. A relay
MUST NOT add information when forwarding requests that might be used to identify Clients, except for information that a Client is aware of; see
Section 6.2.1.
Finally, a relay can also generate responses, though it is assumed to not be able to examine the content of a request (other than to observe the choice of key identifier, KDF, and AEAD); therefore, it is also assumed that it cannot generate an
Encapsulated Response.
A relay
MAY add information to requests if the
Client is aware of the nature of the information that could be added. Any addition
MUST NOT include information that uniquely and permanently identifies the Client, including any pseudonymous identifier. Information added by the relay -- beyond what is already revealed through
Encapsulated Requests from Clients -- can reduce the size of the anonymity set of Clients at a gateway.
A Client does not need to be aware of the exact value added for each request but needs to know the range of possible values the relay might use. How a Client might learn about added information is not defined in this document.
Moreover, relays
MAY apply differential treatment to Clients that engage in abusive behavior, e.g., by sending too many requests in comparison to other Clients, or as a response to rate limits signaled from the gateway. Any such differential treatment can reveal information to the gateway that would not be revealed otherwise and therefore reduce the size of the anonymity set of Clients using a gateway. For example, if a relay chooses to rate limit or block an abusive Client, this means that any Client requests that are not treated this way are known to be non-abusive by the gateway. Clients need to consider the likelihood of such differential treatment and the privacy risks when using a relay.
Some patterns of abuse cannot be detected without access to the request that is made to the target. This means that only the gateway or the target is in a position to identify abuse. A gateway
MAY send signals toward the relay to provide feedback about specific requests. For example, a gateway could respond differently to requests it cannot decapsulate, as mentioned in
Section 5.2. A relay that acts on this feedback could -- either inadvertently or by design -- lead to Client deanonymization.
As there are privacy benefits from having a large rate of requests forwarded by the same relay (see
Section 6.2.3), servers that operate the
Oblivious Gateway Resource might need an arrangement with
Oblivious Relay Resources. This arrangement might be necessary to prevent having the large volume of requests being classified as an attack by the server.
If a server accepts a larger volume of requests from a relay, it needs to trust that the relay does not allow abusive levels of request volumes from
Clients. That is, if a server allows requests from the relay to be exempt from rate limits, the server might want to ensure that the relay applies a rate-limiting policy that is acceptable to the server.
Servers that enter into an agreement with a relay that enables a higher request rate might choose to authenticate the relay to enable the higher rate.
Using HTTPS protects information about which resources are the subject of request and prevents a network observer from being able to trivially correlate messages on either side of a relay. However, using HTTPS does not prevent traffic analysis by such network observers.
The time at which Encapsulated Request or Response messages are sent can reveal information to a network observer. Though messages exchanged between the
Oblivious Relay Resource and the
Oblivious Gateway Resource might be sent in a single connection, traffic analysis could be used to match messages that are forwarded by the relay.
A relay could, as part of its function, delay requests before forwarding them. Delays might increase the anonymity set into which each request is attributed. Any delay also increases the time that a
Client waits for a response, so delays
SHOULD only be added with the consent -- or at least awareness -- of Clients.
A relay that forwards large volumes of exchanges can provide better privacy by providing larger sets of messages that need to be matched.
Traffic analysis is not restricted to network observers. A malicious Oblivious Relay Resource could use traffic analysis to learn information about otherwise encrypted requests and responses relayed between Clients and gateways. An Oblivious Relay Resource terminates TLS connections from Clients, so they see message boundaries. This privileged position allows for richer feature extraction from encrypted data, which might improve traffic analysis.
Clients and Oblivious Gateway Resources can use padding to reduce the effectiveness of traffic analysis. Padding is a capability provided by binary HTTP messages; see [
BINARY]. If the encapsulation method described in this document is used to protect a different message type (see
Section 4.6), that message format might need to include padding support. Oblivious Relay Resources can also use padding for the same reason but need to operate at the HTTP layer since they cannot manipulate binary HTTP messages; for example, see [
HTTP/2] or [
HTTP/3]).
The
Oblivious Gateway Resource can be operated by a different entity than the
Target Resource. However, this means that the
Client needs to trust the Oblivious Gateway Resource not to modify requests or responses. This analysis concerns itself with a deployment scenario where a single server provides both the Oblivious Gateway Resource and Target Resource.
A server that operates both Oblivious Gateway and Target Resources is responsible for removing request encryption, generating a response to the
Encapsulated Request, and encrypting the response.
Servers should account for traffic analysis based on response size or generation time. Techniques such as padding or timing delays can help protect against such attacks; see
Section 6.2.3.
If separate entities provide the Oblivious Gateway Resource and Target Resource, these entities might need an arrangement similar to that between server and relay for managing denial of service; see
Section 6.2.2. Moreover, the Oblivious Gateway Resource
SHOULD have some mechanism to ensure that the Oblivious Gateway Resource is not misused as a relay for HTTP messages to an arbitrary Target Resource, such as an allowlist.
Non-secure requests -- such as those with the "http" scheme as opposed to the "https" scheme --
SHOULD NOT be used if the Oblivious Gateway and Target Resources are not on the same origin. If messages are forwarded between these resources without the protections afforded by HTTPS, they could be inspected or modified by a network attacker. Note that a request could be forwarded without protection if the two resources share an origin.
An
Oblivious Gateway Resource needs to have a plan for replacing keys. This might include regular replacement of keys, which can be assigned new key identifiers. If an Oblivious Gateway Resource receives a request that contains a key identifier that it does not understand or that corresponds to a key that has been replaced, the server can respond with an HTTP 422 (Unprocessable Content) status code.
A server can also use a 422 status code if the server has a key that corresponds to the key identifier, but the
Encapsulated Request cannot be successfully decrypted using the key.
A server
MUST ensure that the HPKE keys it uses are not valid for any other protocol that uses HPKE with the "message/bhttp request" label. Designers of protocols that reuse this encryption format, especially new versions of this protocol, can ensure key diversity by choosing a different label in their use of HPKE. The "message/bhttp response" label was chosen for symmetry only as it provides key diversity only within the HPKE context created using the "message/bhttp request" label; see
Section 4.6.
A server is responsible for either rejecting replayed requests or ensuring that the effect of replays does not adversely affect
Clients or resources.
Encapsulated Requests can be copied and replayed by the
Oblivious Relay Resource. The threat model for Oblivious HTTP allows the possibility that an Oblivious Relay Resource might replay requests. Furthermore, if a Client sends an Encapsulated Request in TLS early data (see [
TLS] and [
RFC 8470]), a network-based adversary might be able to cause the request to be replayed. In both cases, the effect of a replay attack and the mitigations that might be employed are similar to TLS early data.
It is the responsibility of the application that uses Oblivious HTTP to either reject replayed requests or ensure that replayed requests have no adverse effect on their operation. This section describes some approaches that are universally applicable and suggestions for more targeted techniques.
A Client or Oblivious Relay Resource
MUST NOT automatically attempt to retry a failed request unless it receives a positive signal indicating that the request was not processed or forwarded. The HTTP/2 REFUSED_STREAM error code ([
HTTP/2]), the HTTP/3 H3_REQUEST_REJECTED error code ([
HTTP/3]), or a GOAWAY frame with a low enough identifier (in either protocol version) are all sufficient signals that no processing occurred. HTTP/1.1 [
HTTP/1.1] provides no equivalent signal. Connection failures or interruptions are not sufficient signals that no processing occurred.
The anti-replay mechanisms described in [
TLS] are generally applicable to Oblivious HTTP requests. The encapsulated keying material (or
enc) can be used in place of a nonce to uniquely identify a request. This value is a high-entropy value that is freshly generated for every request, so two valid requests will have different values with overwhelming probability.
The mechanism used in TLS for managing differences in Client and server clocks cannot be used as it depends on being able to observe previous interactions. Oblivious HTTP explicitly prevents such linkability.
The considerations in [
RFC 8470] as they relate to managing the risk of replay also apply, though there is no option to delay the processing of a request.
Limiting requests to those with safe methods might not be satisfactory for some applications, particularly those that involve the submission of data to a server. The use of idempotent methods might be of some use in managing replay risk, though it is important to recognize that different idempotent requests can be combined to be not idempotent.
Even without replay prevention, the server-chosen
response_nonce field ensures that responses have unique AEAD keys and nonces even when requests are replayed.
Clients SHOULD include a
Date header field in
Encapsulated Requests, unless the Client has prior knowledge that indicates that the
Oblivious Gateway Resource does not use
Date for anti-replay purposes.
Though HTTP requests often do not include a
Date header field, the value of this field might be used by a server to limit the amount of requests it needs to track if it needs to prevent replay attacks.
An Oblivious Gateway Resource can maintain state for requests for a small window of time over which it wishes to accept requests. The Oblivious Gateway Resource can store all requests it processes within this window. Storing just the
enc field of a request, which should be unique to each request, is sufficient. The Oblivious Gateway Resource can reject any request that is the same as one that was previously answered within that time window or if the
Date header field from the decrypted request is outside of the current time window.
Oblivious Gateway Resources might need to allow for the time it takes requests to arrive from the Client, with a time window that is large enough to allow for differences in clocks. Insufficient tolerance of time differences could result in valid requests being unnecessarily rejected. Beyond allowing for multiple round-trip times -- to account for retransmission -- network delays are unlikely to be significant in determining the size of the window, unless all potential Clients are known to have excellent timekeeping. A specific window size might need to be determined experimentally.
Oblivious Gateway Resources
MUST NOT treat the time window as secret information. An attacker can actively probe with different values for the
Date field to determine the time window over which the server will accept responses.
An
Oblivious Gateway Resource can reject requests that contain a
Date value that is outside of its active window with a 400 series status code. The problem type [
PROBLEM] of "https://iana.org/assignments/http-problem-types#date" is defined to allow the server to signal that the
Date value in the request was unacceptable.
Figure 8 shows an example response in HTTP/1.1 format.
HTTP/1.1 400 Bad Request
Date: Mon, 07 Feb 2022 00:28:05 GMT
Content-Type: application/problem+json
Content-Length: 128
{"type":"https://iana.org/assignments/http-problem-types#date",
"title": "date field in request outside of acceptable range"}
Disagreements about time are unlikely if both
Client and Oblivious Gateway Resource have a good source of time; see [
NTP]. However, clock differences are known to be commonplace; see Section 7.1 of [
CLOCKSKEW].
Including a
Date header field in the response allows the Client to correct clock errors by retrying the same request using the value of the
Date field provided by the Oblivious Gateway Resource. The value of the
Date field can be copied if the response is fresh, with an adjustment based on the
Age field otherwise; see [
HTTP-CACHING]. When retrying a request, the Client
MUST create a fresh encryption of the modified request, using a new HPKE context.
+---------+ +-------------------+ +----------+
| Client | | Relay and Gateway | | Target |
| | | Resources | | Resource |
+----+----+ +----+-----------+--+ +----+-----+
| | | |
| | | |
| Request | | |
+============================>+------------->|
| | | |
| | | 400 Response |
| | | + Date |
|<============================+<-------------+
| | | |
| Request | | |
| + Updated Date | | |
+============================>+------------->|
| | | |
Retrying immediately allows the
Oblivious Gateway Resource to measure the round-trip time to the
Client. The observed delay might reveal something about the location of the Client. Clients could delay retries to add some uncertainty to any observed delay.
Intermediaries can sometimes rewrite the
Date field when forwarding responses. This might cause problems if the Oblivious Gateway Resource and intermediary clocks differ by enough to cause the retry to be rejected. Therefore, Clients
MUST NOT retry a request with an adjusted date more than once.
Oblivious Gateway Resources that condition their responses on the
Date header field
SHOULD either ensure that intermediaries do not cache responses (by including a
Cache-Control directive of
no-store) or designate the response as conditional on the value of the
Date request header field (by including the token "date" in a
Vary header field).
Clients
MUST NOT use the date provided by the Oblivious Gateway Resource for any other purpose, including future requests to any resource. Any request that uses information provided by the Oblivious Gateway Resource might be correlated using that information.
This document does not provide forward secrecy for either requests or responses during the lifetime of the
key configuration. A measure of forward secrecy can be provided by generating a new key configuration then deleting the old keys after a suitable period.
This design does not provide post-compromise security for responses.
A
Client only needs to retain keying material that might be used to compromise the confidentiality and integrity of a response until that response is consumed, so there is negligible risk associated with a Client compromise.
A server retains a secret key that might be used to remove protection from messages over much longer periods. A server compromise that provided access to the
Oblivious Gateway Resource secret key could allow an attacker to recover the plaintext of all requests sent toward affected keys and all of the responses that were generated.
Even if server keys are compromised, an adversary cannot access messages exchanged by the Client with the
Oblivious Relay Resource as messages are protected by TLS. Use of a compromised key also requires that the Oblivious Relay Resource cooperate with the attacker or that the attacker is able to compromise these TLS connections.
The total number of messages affected by server key compromise can be limited by regular rotation of server keys.
Including a
Date field in requests reveals some information about the
Client clock. This might be used to fingerprint Clients [
UWT] or to identify Clients that are vulnerable to attacks that depend on incorrect clocks.
Clients can randomize the value that they provide for
Date to obscure the true value of their clock and reduce the chance of linking requests over time. However, this increases the risk that their request is rejected as outside the acceptable window.
The
key configuration media type defined in
Section 3.2 represents keying material. The content of this media type is not active (see
Section 4.6 of
RFC 6838), but it governs how a
Client might interact with an
Oblivious Gateway Resource. The security implications of processing it are described in
Section 6.1; privacy implications are described in
Section 7.
The security implications of handling the message media types defined in
Section 4.5 is covered in other parts of this section in more detail. However, these message media types are also encrypted encapsulations of HTTP requests and responses.
HTTP messages contain content, which can use any media type. In particular, requests are processed by an Oblivious
Target Resource, which -- as an HTTP resource -- defines how content is processed; see [
HTTP]. HTTP clients can also use resource identity and response content to determine how content is processed. Consequently, the security considerations of [
HTTP] also apply to the handling of the content of these media types.
This document generally assumes that the same entity operates the
Oblivious Gateway Resource and the
Target Resource. However, as the Oblivious Gateway Resource performs generic HTTP processing, the use of forwarding cannot be completely precluded.
The scheme specified in the
Encapsulated Request determines the security requirements for any protocol that is used between the Oblivious Gateway and Target Resources. Using HTTPS is
RECOMMENDED; see
Section 6.3.
A Target Resource that is operated on a different server from the Oblivious Gateway Resource is an ordinary HTTP resource. A Target Resource can privilege requests that are forwarded by a given Oblivious Gateway Resource if it trusts the operator of the Oblivious Gateway Resource to only forward requests that meet the expectations of the Target Resource. Otherwise, the Target Resource treats requests from an Oblivious Gateway Resource no differently than any other HTTP client.
For instance, an Oblivious Gateway Resource might -- possibly with the help of
Oblivious Relay Resources -- be trusted not to forward an excessive volume of requests. This might allow the Target Resource to accept a greater volume of requests from that Oblivious Gateway Resource relative to other HTTP clients.
An Oblivious Gateway Resource could implement policies that improve the ability of the Target Resource to implement policy exemptions, such as only forwarding requests toward specific Target Resources according to an allowlist; see
Section 6.3.