[hybi] On TLS-only Approaches

Eric Rescorla <ekr@rtfm.com> Sun, 22 August 2010 19:45 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 77F783A6952 for <hybi@core3.amsl.com>; Sun, 22 Aug 2010 12:45:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.508
X-Spam-Level:
X-Spam-Status: No, score=-100.508 tagged_above=-999 required=5 tests=[AWL=-0.021, BAYES_05=-1.11, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1bgQd-GFnwhV for <hybi@core3.amsl.com>; Sun, 22 Aug 2010 12:45:28 -0700 (PDT)
Received: from mail-bw0-f44.google.com (mail-bw0-f44.google.com [209.85.214.44]) by core3.amsl.com (Postfix) with ESMTP id D980F3A688B for <hybi@ietf.org>; Sun, 22 Aug 2010 12:45:27 -0700 (PDT)
Received: by bwz9 with SMTP id 9so4889261bwz.31 for <hybi@ietf.org>; Sun, 22 Aug 2010 12:46:00 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.204.82.80 with SMTP id a16mr3024618bkl.39.1282506358919; Sun, 22 Aug 2010 12:45:58 -0700 (PDT)
Received: by 10.204.7.70 with HTTP; Sun, 22 Aug 2010 12:45:58 -0700 (PDT)
Date: Sun, 22 Aug 2010 12:45:58 -0700
Message-ID: <AANLkTikJcbyEZ-Y0FOXni89L8Awa_UBmMMDvLgsOuoou@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
To: Server-Initiated HTTP <hybi@ietf.org>
Content-Type: multipart/alternative; boundary=0016e6d97641f212a1048e6ec7af
Subject: [hybi] On TLS-only Approaches
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 22 Aug 2010 19:45:29 -0000

I'd like to take a brief detour from the topic of framing and (re)discuss
the topic of whether
we want to require TLS only. Aside from the obvious security advantages, it
appears
that TLS-based approaches are likely to be a lot more successful. Adam
Langley
reports (http://www.ietf.org/mail-archive/web/tls/current/msg05593.html)
that their
tests show 95% success with TLS-only approaches as compared to 67% with
HTTP approaches. This argues that people who want to be successful will
choose
to run WebSockets over TLS.

OK, you say, so what's the harm in specifying HTTP and HTTPS versions. I see
two arguments against this:

(1) It just increases the attack surface.
(2) It means that we're forced to design things into this protocol that we
could get
from TLS.

Exhibit A for the second argument is of course NPN or something like it.
Currently,
we're forced to design a handshake that ensures that the client and server
are
both speaking Websockets; this is necessarily a bit hacky and likely to
either
make the proxy problem worse (encryption) or cost us a round trip (MAC
handshake).
By contrast, if we're really using TLS, then we can just build this
mechanism into
TLS without paying any penalty.

I just want to get ahead of one possible objection to this line of
reasoning: that
there is a performance penalty for TLS. Even if you don't find the arguments
that
TLS perf isn't an issue convincing (
http://www.imperialviolet.org/2010/06/25/overclocking-ssl.html),
and FWIW I do, if, as I argue, you're going to pay that cost anyway, then
our
goal should be to minimize the cost of the combined system, and that is
easiest
to do if we simply assume TLS all the time.

-Ekr