IETF Logo Mail Archive

Re: 9.2.2 Cipher fallback and FF<->Jetty interop problem

Greg Wilkins <gregw@intalio.com> Thu, 18 September 2014 05:24 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6FB0F1A0692 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 17 Sep 2014 22:24:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.931
X-Spam-Level:
X-Spam-Status: No, score=-7.931 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-1.652, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mzJceOgwRgtR for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 17 Sep 2014 22:24:30 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F31211A0690 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Wed, 17 Sep 2014 22:24:29 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1XUUAN-0002rw-T7 for ietf-http-wg-dist@listhub.w3.org; Thu, 18 Sep 2014 05:22:03 +0000
Resent-Date: Thu, 18 Sep 2014 05:22:03 +0000
Resent-Message-Id: <E1XUUAN-0002rw-T7@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <gregw@intalio.com>) id 1XUUA1-0002r4-7I for ietf-http-wg@listhub.w3.org; Thu, 18 Sep 2014 05:21:41 +0000
Received: from mail-wi0-f182.google.com ([209.85.212.182]) by maggie.w3.org with esmtps (TLS1.0:RSA_ARCFOUR_SHA1:16) (Exim 4.72) (envelope-from <gregw@intalio.com>) id 1XUU9z-0004vU-JQ for ietf-http-wg@w3.org; Thu, 18 Sep 2014 05:21:41 +0000
Received: by mail-wi0-f182.google.com with SMTP id e4so469191wiv.15 for <ietf-http-wg@w3.org>; Wed, 17 Sep 2014 22:21:12 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=ynQZqhn7XeUNqrX9VdlBoEUDQZcfNeAzc1hijwGiE94=; b=G2wuAqDfFTn1R3DuC/29r+y94viOh5GhCRL31Fp4P9u2XtQEzZMRB55a3vs4IMXnOY Un7bt5UWHSCkkSI5VAhNtdg1ij4ELZx0f69sonHFzSnvfFgZzYexJtzbZIjY4Sj33SZ0 nL8irKSAzlgg+BMsALgiwlJmze3QMeRzPLZQ0zpyzefgd5cLYoKAVxR+I/1odUPbPlV4 l2x/6HNXpuDrTH2Ht+fGIuoI9BgJolQfEP5mgBgqgEYQTwnEYBl1oN7Xb2MtHjJUn4cz jtOCluus2Mn2O2J+89J9T0HF1M1u+hKePUXaw1Q13BWHZnMLf+tc4js4vELyHJ0PLG1p dvow==
X-Gm-Message-State: ALoCoQk7lRFFLshSBYW2mpu+71DuGtOjMvaq0LbXhyq9NKVNRUepjeFpbgh08SMTbQcpY4XmNYiZ
MIME-Version: 1.0
X-Received: by 10.194.23.8 with SMTP id i8mr2144219wjf.104.1411017672852; Wed, 17 Sep 2014 22:21:12 -0700 (PDT)
Received: by 10.194.169.98 with HTTP; Wed, 17 Sep 2014 22:21:12 -0700 (PDT)
In-Reply-To: <541A653C.4050903@gmail.com>
References: <CAH_y2NF+sP9BmYuD4QbeHpwC_uj67itzaAFCnRVC6f--KDYOgg@mail.gmail.com> <CAOdDvNopynmwvwWLXvuC0q7skunFXcfRoVHe9s7BKcoCwaBgWQ@mail.gmail.com> <CAH_y2NGXz7e3ejqy_rD=39=yYp3+cS1Dm6c3yFEYZg6tsUp5VQ@mail.gmail.com> <CABkgnnWAdm1TLP2XCKNU-6RPACLfooQV73R7Gpoemv+9PNULCA@mail.gmail.com> <CAH_y2NFLjok-NRJtOw1vmSy68sf393iSOgA4K599q0BSBqbNgA@mail.gmail.com> <CABkgnnU-CMtv8KvYU9n+QoPBOBshtQv3RfLy2qw=qVNb2O-qGg@mail.gmail.com> <CAH_y2NHrbH5Objwhq9E89QexhQtND4uOdy8q7OEckTCU17WqKg@mail.gmail.com> <CAH_y2NErRd4rxinSzEH3-uTjdWVkZu9o6sSKSf47LxfPFTRONw@mail.gmail.com> <20140917073241.GA7665@LK-Perkele-VII> <CAFewVt4pxE+9NpzYuzMKGmEdrDXzk50mC99ZbrM6M-uEoKXrHA@mail.gmail.com> <CAH_y2NGYcDvPcxDvaTRBP3p4Pnb7gw39WUDY3bNVnOGQjBgciQ@mail.gmail.com> <CAFewVt7+UAJYfKAR6DRZi_mqdzSaYw6L-pT1qg=UyOaP1ojhTw@mail.gmail.com> <CAH_y2NEhAEaPiUgi_vX6Oimw+Y-k3WrnL0gJZKPxQ8KZVuFVfw@mail.gmail.com> <CABkgnnU6C+TzJzdeQZhwXucuPUrPh1yyp1cpRd9jSePMjAnONQ@mail.gmail.com> <541A653C.4050903@gmail.com>
Date: Thu, 18 Sep 2014 15:21:12 +1000
Message-ID: <CAH_y2NFKqH8HGfXk0VR2BZ3n1vKPXeQkM0-qVjGhnz_TFGAwew@mail.gmail.com>
From: Greg Wilkins <gregw@intalio.com>
To: Stuart Douglas <stuart.w.douglas@gmail.com>
Cc: Martin Thomson <martin.thomson@gmail.com>, Brian Smith <brian@briansmith.org>, Ilari Liusvaara <ilari.liusvaara@elisanet.fi>, HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: multipart/alternative; boundary="047d7b87414e29a1360503502707"
Received-SPF: permerror client-ip=209.85.212.182; envelope-from=gregw@intalio.com; helo=mail-wi0-f182.google.com
X-W3C-Hub-Spam-Status: No, score=-3.8
X-W3C-Hub-Spam-Report: AWL=-3.086, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7
X-W3C-Scan-Sig: maggie.w3.org 1XUU9z-0004vU-JQ ca3a1fcbbea7f6d75dbf0962fe92b4cb
X-Original-To: ietf-http-wg@w3.org
Subject: Re: 9.2.2 Cipher fallback and FF<->Jetty interop problem
Archived-At: <http://www.w3.org/mid/CAH_y2NFKqH8HGfXk0VR2BZ3n1vKPXeQkM0-qVjGhnz_TFGAwew@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/27118
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On 18 September 2014 14:53, Stuart Douglas <stuart.w.douglas@gmail.com>
wrote:

> I have been looking through the archives and I can't seem to find the
> discussion about how this requirement came about, and I am really
> struggling to understand why it is necessary.
>
> I can't really see how it provides any increased security, given that if a
> cypher that meets these requirements is not available the client is
> expected to fallback to HTTP/1.1 and communicate over the supposedly less
> secure cypher anyway



Stuart,

Martin hinted at the motivation earlier in this thread:

On 6 September 2014 15:03, Martin Thomson <martin.thomson@gmail.com> wrote:

> If clients don't send the "bad" ciphers, then large swathes of the web
> stop working.  No browser wants to do that because that's a trigger
> for a mass exodus of users.  So we end up stuck with ciphers that are
> sort-of-bad-but-not-broken-enough-to-pull.  Which sucks.
>

So he is saying that because browser vendor value market share more than
their users security it is apparently our job to withhold the h2 protocol
or just fail to connect in an  effort to push them towards being good web
citizens.

I don't actually agree with the premise that browser vendors are that
morally corrupt.  I think they have a difficult line to walk between
offering reasonable security and wide spread connectivity.       If they
are offering old ciphers then I am sure that there are significant origin
resources that can only be accessed with them.

But let's accept the premise that browser vendors are indeed morally
corrupt and will deploy insecure ciphers rather than lose market share.
Let's also assume that origin server deployers are also prepared to accept
those bad ciphers and make their content available over them...  I have
absolutely no idea how allowing those two to tango over http/1 rather than
h2 pushes them to any better security practises.   Perhaps the failing
abysmally to connect part might be a bit more persuasive, but I expect that
is more likely to make them remove the good ciphers.

If failure to connect is a driver to better cipher policy, then  we need
not hobble h2 to achieve that.  Instead the browser vendors and server
deployers can simply grow a pair and remove the bad ciphers.

regards



>
>
> Martin Thomson wrote:
>
>> On 17 September 2014 17:09, Greg Wilkins<gregw@intalio.com>  wrote:
>>
>>> Consider clients and servers written in java, so they inherit their
>>> ciphers
>>> from the JVM. At some stage in the future a GCM is replaced by XYZ and
>>> added
>>> to the JVM, so it is part of the acceptable TLS ciphers, but the h2
>>> clients
>>> and servers implementations have adopted your advice to "By default,
>>> assume
>>> that a cipher suite is not acceptable".   So everybody is assuming that
>>> XYZ
>>> is not h2 acceptable.
>>>
>>
>> You can't suddenly pull a cipher suite that people rely on.  We rely
>> on GCM.  We require that implementations support it.
>>
>> Yes, there will be implementations that pick up XYZ, but also don't
>> know that it's OK.  That's expected behaviour sadly.  Not all
>> implementations will be able to examine the properties of the
>> available cipher suites and use properties to determine if they are OK
>> to use.
>>
>>  This is not a theoretical problem.
>>>
>>
>> I disagree, it's a hypothetical problem.
>>
>>  It is a real problem that I have
>>> experienced as FF rolled out their AEAD restriction as rqeuired by 9.2.2
>>> before jetty had implemented the same restriction and while AEAD is not
>>> available on java-7.  I could implement the AEAD restriction in jetty
>>> now to
>>> get connectivity with FF, but would lose connectivity with h2 clients
>>> running java-7.
>>>
>>
>> I'm not sure that this is quite right.  Unless the Java 7 code is
>> singificantly different to the Java 8 code, you should have been able
>> to influence suite selection so that a good suite (i.e., an acceptable
>> one) was chosen.
>>
>>


-- 
Greg Wilkins <gregw@intalio.com>
http://eclipse.org/jetty HTTP, SPDY, Websocket server and client that scales
http://www.webtide.com  advice and support for jetty and cometd.

v2.39.1 | Report a Bug | By Email | System Status