]> The MASQUE Proxy Google LLC
1600 Amphitheatre Parkway Mountain View CA 94043 United States of America dschinazi.ietf@gmail.com
masque proxy kuzh MASQUE (Multiplexed Application Substrate over QUIC Encryption) is a set of protocols and extensions to HTTP that allow proxying all kinds of Internet traffic over HTTP. This document defines the concept of a "MASQUE Proxy", an Internet-accessible node that can relay client traffic in order to provide privacy guarantees. About This Document The latest revision of this draft can be found at . Status information for this document may be found at . Source for this draft and an issue tracker can be found at .
Introduction In the early days of HTTP, requests and responses weren't encrypted. In order to add features such as caching, HTTP proxies were developed to parse HTTP requests from clients and forward them on to other HTTP servers. As SSL/TLS became more common, the CONNECT method was introduced to allow proxying SSL/TLS over HTTP. That gave HTTP the ability to create tunnels that allow proxying any TCP-based protocol. While non-TCP-based protocols were always prevalent on the Internet, the large-scale deployment of QUIC meant that TCP no longer represented the majority of Internet traffic. Simultaneously, the creation of HTTP/3 allowed running HTTP over a non-TCP-based protocol. In particular, QUIC allows disabling loss recovery and that can then be used in HTTP . This confluence of events created both the possibility and the necessity for new proxying technologies in HTTP. This led to the creation of MASQUE (Multiplexed Application Substrate over QUIC Encryption). MASQUE allows proxying both UDP () and IP () over HTTP. While MASQUE has uses beyond improving user privacy, its focus and design are best suited for protecting sensitive information.
Privacy Protections There are currently multiple usage scenarios that can benefit from using a MASQUE Proxy.
Protection from Web Servers Connecting directly to Web servers allows them to access the public IP address of the user. There are many privacy concerns relating to user IP addresses . Because of these, many user agents would rather not establish a direct connection to Web servers. They can do that by running their traffic through a MASQUE Proxy. The Web server will only see the IP address of the MASQUE Proxy, not that of the client.
Protection from Network Providers Some users may wish to obfuscate the destination of their network traffic from their network provider. This prevents network providers from using data harvested from this network traffic in ways the user did not intend.
Partitioning While routing traffic through a MASQUE proxy reduces the network provider's ability to observe traffic, that information is transfered to the proxy operator. This can be suitable for some threat models, but for the majority of users transferring trust from their network provider to their proxy (or VPN) provider is not a meaningful security improvement. There is a technical solution that allows resolving this issue: it is possible to nest MASQUE tunnels such that traffic flows through multiple MASQUE proxies. This has the advantage of partitioning sensitive information to prevent correlation . Though the idea of nested tunnels dates back decades , MASQUE now allows running HTTP/3 end-to-end from a user agent to an origin via multiple nested CONNECT-UDP tunnels. The proxy closest to the user can see the user's IP address but not the origin, whereas the other proxy can see the origin without knowing the user's IP address. If the two proxies are operated by non-colluding entities, this allows hiding the user's IP address from the origin without the proxies knowing the user's browsing history.
Obfuscation The fact that MASQUE is layered over HTTP makes it much more resilient to detection. To network observers, the unencrypted bits in a QUIC connection used for MASQUE are indistinguishable from those of a regular Web browsing connection. Separately, if paired with a non-probeable HTTP authentication scheme , any Web server can also become a MASQUE proxy while remaining indistinguishable from a regular Web server. This defeats detection tools that operate solely on packet formats. However, it is still possible to perform statitiscal analyses on the encrypted data. There exist commercially available products that are able to identify visited websites based solely on the timing and size of encrypted packets. While MASQUE increases the cost of such traffic analysis efforts, it doesn't prevent them from being used at scale. MASQUE implementations can leverage the ability for HTTP/2, HTTP/3, TLS, or QUIC to introduce padding inside the encryption. That enables many defensive strategies such as ensuring that all packets are the same size, or introducing variable amounts of cover traffic. From a theoretical perspective, sending data at a constant bitrate is the only way to fully prevent statistical analysis, but it likely introduces too much overhead to be deployable at scale. Finding padding strategies that balance resistance against statistical analysis with overheads remains an open research problem.
Related Technologies This section discusses how MASQUE fits in with other contemporary privacy-focused IETF protocols.
OHTTP Oblivious HTTP uses a cryptographic primitive that is more lightweight than TLS , making it a great fit for decorrelating HTTP requests. In traditional Web browsing, the user agent will often make many requests to the same origin (e.g., to load HTML, style sheets, images, scripts) and those requests are correlatable since the origin can include identifying query parameters to join separate requests. In such scenarios, MASQUE is a better fit since it operates at the granularity of a connection. However, there are scenarios where a user agent might want to make non-correlatable requests (e.g., to anonymously report telemetry); for those, OHTTP provides better efficiency than using MASQUE with a separate connection per request. While OHTTP and MASQUE are separate technologies that serve different use cases, they can be colocated on the same HTTP server that acts as both a MASQUE Proxy and an OHTTP Relay.
DoH DNS over HTTPS allows encrypting DNS traffic by sending it through an encrypted HTTP connection. Colocating a DoH server with a MASQUE IP proxy provides better performance than using DNS over port 53 inside the encrypted tunnel.
Security Considerations Implementers of a MASQUE proxy need to review the Security Considerations of the documents referenced by this one.
IANA Considerations This document has no IANA actions.
Informative References HTTP/3 The QUIC transport protocol has several features that are desirable in a transport for HTTP, such as stream multiplexing, per-stream flow control, and low-latency connection establishment. This document describes a mapping of HTTP semantics over QUIC. This document also identifies HTTP/2 features that are subsumed by QUIC and describes how HTTP/2 extensions can be ported to HTTP/3. find that 20 year old email about using nested CONNECT tunnels with SSL to improve privacy Upgrading to TLS Within HTTP/1.1 This memo explains how to use the Upgrade mechanism in HTTP/1.1 to initiate Transport Layer Security (TLS) over an existing TCP connection. [STANDARDS-TRACK] QUIC: A UDP-Based Multiplexed and Secure Transport This document defines the core of the QUIC transport protocol. QUIC provides applications with flow-controlled streams for structured communication, low-latency connection establishment, and network path migration. QUIC includes security measures that ensure confidentiality, integrity, and availability in a range of deployment circumstances. Accompanying documents describe the integration of TLS for key negotiation, loss detection, and an exemplary congestion control algorithm. An Unreliable Datagram Extension to QUIC This document defines an extension to the QUIC transport protocol to add support for sending and receiving unreliable datagrams over a QUIC connection. HTTP Datagrams and the Capsule Protocol This document describes HTTP Datagrams, a convention for conveying multiplexed, potentially unreliable datagrams inside an HTTP connection. In HTTP/3, HTTP Datagrams can be sent unreliably using the QUIC DATAGRAM extension. When the QUIC DATAGRAM frame is unavailable or undesirable, HTTP Datagrams can be sent using the Capsule Protocol, which is a more general convention for conveying data in HTTP connections. HTTP Datagrams and the Capsule Protocol are intended for use by HTTP extensions, not applications. Proxying UDP in HTTP This document describes how to proxy UDP in HTTP, similar to how the HTTP CONNECT method allows proxying TCP in HTTP. More specifically, this document defines a protocol that allows an HTTP client to create a tunnel for UDP communications through an HTTP server that acts as a proxy. Proxying IP in HTTP This document describes how to proxy IP packets in HTTP. This protocol is similar to UDP proxying in HTTP but allows transmitting arbitrary IP packets. More specifically, this document defines a protocol that allows an HTTP client to create an IP tunnel through an HTTP server that acts as an IP proxy. This document updates RFC 9298. IP Address Privacy Considerations Apple Inc. Google Huawei Technologies France S.A.S.U Google This document provides an overview of privacy considerations related to user IP addresses. It includes an analysis of some current use cases for tracking of user IP addresses, mainly in the context of anti-abuse. It discusses the privacy issues associated with such tracking and provides input on mechanisms to improve the privacy of this existing model. It then captures requirements for proposed 'replacement signals' for IP addresses from this analysis. In addition, existing and under-development techniques are evaluated for fulfilling these requirements. Partitioning as an Architecture for Privacy This document describes the principle of privacy partitioning, which selectively spreads data and communication across multiple parties as a means to improve privacy by separating user identity from user data. This document describes emerging patterns in protocols to partition what data and metadata is revealed through protocol interactions, provides common terminology, and discusses how to analyze such models. The Concealed HTTP Authentication Scheme Most HTTP authentication schemes are probeable in the sense that it is possible for an unauthenticated client to probe whether an origin serves resources that require authentication. It is possible for an origin to hide the fact that it requires authentication by not generating Unauthorized status codes; however, that only works with non-cryptographic authentication schemes: cryptographic signatures require a fresh nonce to be signed. Prior to this document, there was no existing way for the origin to share such a nonce without exposing the fact that it serves resources that require authentication. This document defines a new non-probeable cryptographic authentication scheme. Oblivious HTTP This document describes Oblivious HTTP, a protocol for forwarding encrypted HTTP messages. Oblivious HTTP allows a client to make multiple requests to an origin server without that server being able to link those requests to the client or to identify the requests as having come from the same client, while placing only limited trust in the nodes used to forward the messages. Hybrid Public Key Encryption This document describes a scheme for hybrid public key encryption (HPKE). This scheme provides a variant of public key encryption of arbitrary-sized plaintexts for a recipient public key. It also includes three authenticated variants, including one that authenticates possession of a pre-shared key and two optional ones that authenticate possession of a key encapsulation mechanism (KEM) private key. HPKE works for any combination of an asymmetric KEM, key derivation function (KDF), and authenticated encryption with additional data (AEAD) encryption function. Some authenticated variants may not be supported by all KEMs. We provide instantiations of the scheme using widely used and efficient primitives, such as Elliptic Curve Diffie-Hellman (ECDH) key agreement, HMAC-based key derivation function (HKDF), and SHA2. This document is a product of the Crypto Forum Research Group (CFRG) in the IRTF. The Transport Layer Security (TLS) Protocol Version 1.3 This document specifies version 1.3 of the Transport Layer Security (TLS) protocol. TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery. This document updates RFCs 5705 and 6066, and obsoletes RFCs 5077, 5246, and 6961. This document also specifies new requirements for TLS 1.2 implementations. DNS Queries over HTTPS (DoH) This document defines a protocol for sending DNS queries and getting DNS responses over HTTPS. Each DNS query-response pair is mapped into an HTTP exchange.
Acknowledgments MASQUE was originally inspired directly or indirectly by prior work from many people. The author would like to thank , , , , , , , , and for their input. In particular, the probing resistance component of MASQUE came from a conversation with as we were preparing a draft for an upcoming Thursday evening BoF. All of the MASQUE enthusiasts and other contributors to the MASQUE working group are to thank for the successful standardization of , , and . The author would like to express immense gratitude to Christophe A., an inspiration and true leader of VPNs.