IETF Logo Mail Archive

Re: Concluding discussion on #612 (9.2.2)

Martin Thomson <martin.thomson@gmail.com> Wed, 08 October 2014 02:19 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 67EE71A8F38 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 7 Oct 2014 19:19:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.787
X-Spam-Level:
X-Spam-Status: No, score=-7.787 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.786, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m6heAXwYKesK for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 7 Oct 2014 19:19:46 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 024E81A87A4 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Tue, 7 Oct 2014 19:19:45 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1XbgnR-0000nw-QS for ietf-http-wg-dist@listhub.w3.org; Wed, 08 Oct 2014 02:16:09 +0000
Resent-Date: Wed, 08 Oct 2014 02:16:09 +0000
Resent-Message-Id: <E1XbgnR-0000nw-QS@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <martin.thomson@gmail.com>) id 1XbgnN-0000nC-QK for ietf-http-wg@listhub.w3.org; Wed, 08 Oct 2014 02:16:05 +0000
Received: from mail-lb0-f182.google.com ([209.85.217.182]) by lisa.w3.org with esmtps (TLS1.0:RSA_ARCFOUR_SHA1:16) (Exim 4.72) (envelope-from <martin.thomson@gmail.com>) id 1XbgnM-00060M-Bu for ietf-http-wg@w3.org; Wed, 08 Oct 2014 02:16:05 +0000
Received: by mail-lb0-f182.google.com with SMTP id z11so7318090lbi.27 for <ietf-http-wg@w3.org>; Tue, 07 Oct 2014 19:15:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=pIINCgV9eh/QWWMlrU1t5/Eu7fbe3qNtcrHOaALQVtA=; b=UNEGVXut7oKb0DPvO5hwPzWejnAjJCXO07NoUnb2WinCBSM/GSpr0XUF9m5ZXS7esd LAHDkK6+oCABp8REt8f6d8kvUhd2NO+Deaqe3Vv6h1BQ2PbRMW9UICMMT+uLGvNWud6O nGxK7KRC1mXdWql/l6jRDMAa8hdTnbMwGOUmrKBUC+yTz2DiQE8zf6LZKH88u8KI8m1I Zr3nbvTBKvem/1wkkOJxFDgqTYd5ySRH5FxN7rV54aiXP2quJN0w6kAChspBsBHFwdSU 0acth1emG8lg7KsMpII0P/cpR7D+pK0t2ZaklEcrJVPWV4JQcCo5KDVmW2hX0V2nMJeL MNVw==
MIME-Version: 1.0
X-Received: by 10.112.50.10 with SMTP id y10mr7490484lbn.0.1412734537951; Tue, 07 Oct 2014 19:15:37 -0700 (PDT)
Received: by 10.25.215.217 with HTTP; Tue, 7 Oct 2014 19:15:37 -0700 (PDT)
Received: by 10.25.215.217 with HTTP; Tue, 7 Oct 2014 19:15:37 -0700 (PDT)
In-Reply-To: <CAFewVt5Fu7VdSx_FpmWPkDaAV7y7Ue4gBfLu_AZb3g8urdq0JQ@mail.gmail.com>
References: <9FEEF0BB-1F6F-4E16-B385-4AC17F680E46@mnot.net> <CABcZeBPoZAM=kd5Z5UxKqYtm8oG9zxrdxFF69tknxQ=3kdqVWQ@mail.gmail.com> <601DB4BB-7C9A-4BF2-99A3-3A99E3D9ABD2@apple.com> <50370dd8c3124ebd9dcccabad4e8bdf0@BL2PR03MB372.namprd03.prod.outlook.com> <CAFewVt5Fu7VdSx_FpmWPkDaAV7y7Ue4gBfLu_AZb3g8urdq0JQ@mail.gmail.com>
Date: Tue, 07 Oct 2014 19:15:37 -0700
Message-ID: <CABkgnnXHcSXV09TKsSKQeu6gtn+TdvXU7eXM7LwREP1rmz9Usg@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
To: Brian Smith <brian@briansmith.org>
Cc: Mark Nottingham <mnot@mnot.net>, Rob Trace <Rob.Trace@microsoft.com>, Greg Wilkins <gregw@intalio.com>, Eric Rescorla <ekr@rtfm.com>, HTTP Working Group <ietf-http-wg@w3.org>, Michael Sweet <msweet@apple.com>
Content-Type: multipart/alternative; boundary="001a1133645e4bef280504dfe4b2"
Received-SPF: pass client-ip=209.85.217.182; envelope-from=martin.thomson@gmail.com; helo=mail-lb0-f182.google.com
X-W3C-Hub-Spam-Status: No, score=-3.5
X-W3C-Hub-Spam-Report: AWL=-2.724, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001
X-W3C-Scan-Sig: lisa.w3.org 1XbgnM-00060M-Bu 8aa786af23ea8b3ec18e4d5f2bb911d7
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Concluding discussion on #612 (9.2.2)
Archived-At: <http://www.w3.org/mid/CABkgnnXHcSXV09TKsSKQeu6gtn+TdvXU7eXM7LwREP1rmz9Usg@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/27522
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

I was talking to someone about new research into attacks on RC4, and was
asked if HTTP/2 was potentially interesting. In particular, they were
looking for interesting information in the first 256 bytes of a session,
where the biases are most easily exploited. I noted that it might be
interesting - header compression results in less boilerplate - if it
weren't for the fact we had prohibited use of RC4.
On Oct 7, 2014 6:06 PM, "Brian Smith" <brian@briansmith.org> wrote:

> On Tue, Oct 7, 2014 at 1:13 PM, Rob Trace <Rob.Trace@microsoft.com> wrote:
> > Our feedback on the proposals listed below is that we cannot live with
> 9.2.2 being in the HTTP/2 spec and favor Greg's proposal of "move 9.2.2
> requirements to a document that applies to h1 and h2."
>
> AFAICT, that is not even an option at this stage, without risking
> significant delay and/or making the protocol less secure.
>
> It seems that some people think that 9.2.2 is in the specification due
> to some kind of unnecessary advocacy effort for better cryptography.
> While I think it is good if it has that effect, 9.2.2 is really in the
> the specification because it addresses real security and performance
> concerns.
>
> Many months ago, I was asked, as I'm sure others were, to provide
> feedback about the interaction of TLS and HTTP/2. In particular, is
> HTTP/2 as safe to use as HTTP/1.1 with RC4? Is HTTP/2 as safe to use
> as HTTP/1.1 with TLS 1.0 CBC-mode cipher suites? My feedback, and I
> believe the others' feedback, was that it was a waste of time to try
> to prove that HTTP/2 is as safe to use as HTTP/1.1 in these
> dysfunctional configurations of TLS. That is why I supported making
> RC4, SSL 3.0, and TLS 1.0 MUST NOTs.
>
> Those restrictions were added to an HTTP/2 draft a long time ago (a
> year ago?), and they've remained in the draft (actually, the draft has
> gotten more strict) for a very long time. Consequently, nobody even
> bothered to do a security analysis of HTTP/2 using these dysfunctional
> configurations of TLS, on the assumption that these restrictions would
> remain in place. As it currently stands, it doesn't make sense, given
> what we know about these security footguns, to allow them with HTTP/2,
> because we don't have a clear idea if they are safe to use in
> conjunction with HTTP/2.
>
> While RC4, SSL 3.0, and TLS 1.0 have obvious known problems, it seems
> to me that the restrictions beyond prohibiting those three things are
> more about prevention of as-yet-unknown problems. I think that that
> preventative effort will pay off down the road, probably sooner than
> later. Plus, if we'd have the no-RC4, no-SSL 3.0, and no-TLS 1.0
> restrictions anyway to address practical known concerns, I don't see
> how the additional TLS 1.2, AEAD, and ephemeral key exchange
> requirements are a significant additional burden.
>
> The biggest benefit of HTTP/2 is better performance & efficiency. The
> use of ephemeral key exchange, the symmetric cipher used, and probably
> eventually the version negotiated, are factors used by many clients
> will choose to do False Start or not. The False Start optimization is
> one of the most important optimizations for HTTP. Having the HTTP/2
> specification require a TLS configuration that is roughly the
> intersection of what enables False Start for all major browsers is
> itself enough of a reason to leave things 9.2.2 in the spec.
> Otherwise, implementations will have to indefinitely continue to make
> significant and otherwise-unnecessary, security-for-performance
> trade-offs.
>
> So, again, 9.2.2 serves a real purpose in the spec independently from
> any "better/ideal crypto" advocacy effort. At this point, after 9.2.2
> has been in the drafts for so long, and because people have relied on
> that to avoid the cost of doing additional (wasteful, IMO) security
> analysis, the burden of responsibility for doing any additional
> security analysis for HTTP/2 with currently-prohibited configurations
> of TLS falls on the people that want to remove 9.2.2, before the
> working group should even consider doing so.
>
> Cheers,
> Brian
>

v2.39.1 | Report a Bug | By Email | System Status