http2 opportunistic security negotiation
Erik Nygren <erik@nygren.org> Thu, 05 February 2015 15:13 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ietf.org@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0320A1A89B3 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 5 Feb 2015 07:13:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.289
X-Spam-Level:
X-Spam-Status: No, score=-6.289 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lG7xxMVlssg3 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 5 Feb 2015 07:13:38 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7AE711A903E for <httpbisa-archive-bis2Juki@lists.ietf.org>; Thu, 5 Feb 2015 07:12:48 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1YJO3g-00047l-Ig for ietf-http-wg-dist@listhub.w3.org; Thu, 05 Feb 2015 15:09:32 +0000
Resent-Date: Thu, 05 Feb 2015 15:09:32 +0000
Resent-Message-Id: <E1YJO3g-00047l-Ig@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtp (Exim 4.80) (envelope-from <nygren@gmail.com>) id 1YJO3a-00045c-3M for ietf-http-wg@listhub.w3.org; Thu, 05 Feb 2015 15:09:26 +0000
Received: from mail-qg0-f46.google.com ([209.85.192.46]) by maggie.w3.org with esmtps (TLS1.0:RSA_ARCFOUR_SHA1:16) (Exim 4.72) (envelope-from <nygren@gmail.com>) id 1YJO3Z-0001i5-00 for ietf-http-wg@w3.org; Thu, 05 Feb 2015 15:09:26 +0000
Received: by mail-qg0-f46.google.com with SMTP id j5so6494162qga.5 for <ietf-http-wg@w3.org>; Thu, 05 Feb 2015 07:08:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:date:message-id:subject:from:to:content-type; bh=mocO74GjosNzBP3JCRDy3RELCwG8tZ8AuQt846OweJI=; b=HKE5Jw/U2rQXJFmN1RaKLb2vIl/S1ytyljsuoLFu5607+wHgEiJv8o7nB6N/TP1QLU IrfvsMvRa0ZW7Bexe0WytlCgSjEHWAHwtfhwrmoaEvkS/VfvopQshZg89/PuxyFK0jeQ 0Ve5WVX2OZSIsAtCfnEZ2b18D7H4Sy8cWv9ZBd6TppgHL5VQBo8XNqIGXzd/qSOJ2Zh/ eDytuExlNAurKbuH7dvs266DBUPU4QPe7zgl9f5z7C35GtNZAIXbRltrGCideytO+943 baQYCgd33zCLKBf6GSBDFXilci5i/SrHJiMxVI6j2MiBcytH+uCpWMXhZHoLUTkmclO8 pa/g==
MIME-Version: 1.0
X-Received: by 10.224.79.82 with SMTP id o18mr9022741qak.3.1423148938693; Thu, 05 Feb 2015 07:08:58 -0800 (PST)
Sender: nygren@gmail.com
Received: by 10.140.84.47 with HTTP; Thu, 5 Feb 2015 07:08:58 -0800 (PST)
Date: Thu, 05 Feb 2015 10:08:58 -0500
X-Google-Sender-Auth: QZ4Rt8dU5adOKiKI3RfLLltu43c
Message-ID: <CAKC-DJhOm-4AqfvsdvTL1NBn1kauTBcsah8MBhushsS=5Ods=A@mail.gmail.com>
From: Erik Nygren <erik@nygren.org>
To: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Content-Type: multipart/alternative; boundary="047d7bdcad5ef413be050e58aec5"
Received-SPF: pass client-ip=209.85.192.46; envelope-from=nygren@gmail.com; helo=mail-qg0-f46.google.com
X-W3C-Hub-Spam-Status: No, score=-3.4
X-W3C-Hub-Spam-Report: AWL=-2.701, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001
X-W3C-Scan-Sig: maggie.w3.org 1YJO3Z-0001i5-00 b327609435b6afe67fc37d2d0adc7d05
X-Original-To: ietf-http-wg@w3.org
Subject: http2 opportunistic security negotiation
Archived-At: <http://www.w3.org/mid/CAKC-DJhOm-4AqfvsdvTL1NBn1kauTBcsah8MBhushsS=5Ods=A@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/28759
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
While digging further into server-side implementation details of the
current opportunistic security draft, we identified a user experience
problem. In particular, for a site that has Virtual Hosts which are
HTTP-only (ie, there is no valid certificate for them), there is no way in
the current proposal to both support Opportunistic Security (negotiate h2
for http scheme over TLS without a necessarily valid certificate) without
also giving users accidentally typing in https URIs a certificate mismatch
interstitial they'd be prompted to click through.
Based on a number of discussions, a preferable behavior when a client tries
to access an HTTP-only site over HTTPS is to error out the TLS negotiation
rather than present a certificate mismatch. However, there is also a
desire for the TLS handshake for OppSec to look identical to a non-OppSec
handshake to external observers. Because of this, the current proposal
(send alpn=h2 for OppSec http scheme and for https scheme) means the server
does not know whether to negotiate h2 for OppSec http or return a TLS
handshake error for "no certificate available for this hostname" which is
the desired https behavior).
One proposal that came out of some offline discussion would be for clients
capable of doing HTTP/2 OppSec to always send in the client_hello
alpn=h2,h2o (where "h2o" here might be some alpn token for HTTP/2 OppSec
for HTTP scheme).
The server would then:
* Negotiate alpn=h2o with a possibly invalid cert for an HTTP-only
ServerName/Host
* Negotiate alpn=h2 with a valid cert for a ServerName/Host supporting HTTPS
* Return a TLS handshake error ("no cert for this hostname") if neither are
available (eg, for HTTP/1.1)
The downside of this is that the "h2o" server_hello negotiation would be
in-the-clear in TLS 1.2 (not desirable), although it will be encrypted in
TLS 1.3. In true "opportunistic" fashion this may be an acceptable
trade-off as clients and servers supporting TLS 1.3 will then get the
additional level of protection over passive eavesdroppers seeing whether
OppSec was negotiated.
Another positive of this approach is that it might be reasonable to also
use an "h1o" ALPN token to allow for OppSec negotiation of HTTP/1.1 over
TLS. For example, extensions like "HTTPS Everywhere" could potentially use
this even without HTTP/2 support. (The problem with an OppSec for HTTP/1.1
had been a lack of a way to negotiate the scheme securely, but a separate
ALPN token provides this.)
Erik
- Re: http2 opportunistic security negotiation Eric Rescorla
- Re: http2 opportunistic security negotiation Erik Nygren
- Re: http2 opportunistic security negotiation Ilari Liusvaara
- Re: http2 opportunistic security negotiation Martin Thomson
- http2 opportunistic security negotiation Erik Nygren
- Re: http2 opportunistic security negotiation Ilari Liusvaara
- Re: http2 opportunistic security negotiation Patrick McManus
- Re: http2 opportunistic security negotiation Erik Nygren
- Re: http2 opportunistic security negotiation Patrick McManus
- Re: http2 opportunistic security negotiation Patrick McManus