9 comments

[ 4.3 ms ] story [ 16.9 ms ] thread
> Oblivious HTTP is primarily useful where privacy risks associated with possible stateful treatment of requests are sufficiently negative that the cost of deploying this protocol can be justified.

It would be great if they included some examples to help readers relate to situations, but I can understand (or guess) that a document like this wants to stay academic and distant from real world since it probably won't age well?

A straightforward answer would be air ticketing. It's well known they identify sessions and manipulate your options to give you a bad deal and them a good deal. If there's an asymmetry of info that is being exploited then this is useful.
So why would they deploy this technology on their servers?
They wouldn't need to. From the article: "Oblivious Target Resource: The resource that is the target of an encapsulated request. This resource logically handles only regular HTTP requests and responses and so might be ignorant of the use of oblivious HTTP to reach it"
I worked in this field and I am certain this is an urban legend. Do you know of any evidence of this "well known" phenomenon?
I experienced this, waaaay back in the web 1.0 days. I forget which airline (maybe Southwest because you can't buy their tickets through a third party), but they would offer a pattern of low-high-medium prices in response to multiple searches. I was able to reliably trigger the pattern by clearing cookies.

However, I don't think anyone does this today. There are too many online ticket agent (including ITA), so it becomes obvious when the lowest fare for a given (city-pair, flight number, class of service, airline) tuple isn't being offered.

The document provides specific examples a couple paragraphs after that statement:

https://www.ietf.org/archive/id/draft-ietf-ohai-ohttp-01.htm...

> Examples of where preventing the linking of requests might justify these costs include:

> - DNS queries. DNS queries made to a recursive resolver reveal information about the requester, particularly if linked to other queries.

> - Telemetry submission. Applications that submit reports about their usage to their developers might use oblivious HTTP for some types of moderately sensitive data.