Re: [TLS] Last Call: <draft-ietf-tls-applayerprotoneg-03.txt> (Transport Layer Security (TLS) Application Layer Protocol Negotiation Extension) to Proposed Standard
"Stephan Friedl (sfriedl)" <sfriedl@cisco.com> Sat, 14 December 2013 00:28 UTC
Return-Path: <sfriedl@cisco.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 72C531AE0F3; Fri, 13 Dec 2013 16:28:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.502
X-Spam-Level:
X-Spam-Status: No, score=-14.502 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1yX091-LnWNL; Fri, 13 Dec 2013 16:28:37 -0800 (PST)
Received: from rcdn-iport-9.cisco.com (rcdn-iport-9.cisco.com [173.37.86.80]) by ietfa.amsl.com (Postfix) with ESMTP id 7E9261ADFAD; Fri, 13 Dec 2013 16:28:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=9123; q=dns/txt; s=iport; t=1386980911; x=1388190511; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=+1eQ/pJMjfZvA6BNr2hytOrzvc/IGhzeVujgi3oUTpA=; b=XgtvQIfu9fDr9+orszC9UHDCiMLmWpXD5qSbipq4vsGMho3JQoaTFRjZ JAk23AY/H3Ywqe/0vcOxBOejuxaLZJ+PRLHzvuRYUcBujzP+55JpIMyUL PtQafRLIAtqDjWcE6WA8nOzscLdmQFKQdP7IOK+V+23pw/r4AzH7L5gY2 4=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AhUFAB6lq1KtJV2c/2dsb2JhbABZgwo4VbhggSIWdIIlAQEBAwEBAQEaHTQLBQcEAgEIDgMEAQEBCgsJBQQHJwsUCQgCBA4FCBOHYQgNymYXjikbAQEeMQIFBgSDGYETAQOqKoFsgT6BcTk
X-IronPort-AV: E=Sophos;i="4.95,482,1384300800"; d="scan'208";a="288471792"
Received: from rcdn-core-5.cisco.com ([173.37.93.156]) by rcdn-iport-9.cisco.com with ESMTP; 14 Dec 2013 00:28:30 +0000
Received: from xhc-rcd-x14.cisco.com (xhc-rcd-x14.cisco.com [173.37.183.88]) by rcdn-core-5.cisco.com (8.14.5/8.14.5) with ESMTP id rBE0SUmg029615 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Sat, 14 Dec 2013 00:28:30 GMT
Received: from xmb-aln-x02.cisco.com ([169.254.5.231]) by xhc-rcd-x14.cisco.com ([173.37.183.88]) with mapi id 14.03.0123.003; Fri, 13 Dec 2013 18:28:30 -0600
From: "Stephan Friedl (sfriedl)" <sfriedl@cisco.com>
To: Alyssa Rowan <akr@akr.io>
Thread-Topic: [TLS] Last Call: <draft-ietf-tls-applayerprotoneg-03.txt> (Transport Layer Security (TLS) Application Layer Protocol Negotiation Extension) to Proposed Standard
Thread-Index: AQHO+DuFs2oYMzPJ906OnKLd/YTTY5pTDMOA//+9RVA=
Date: Sat, 14 Dec 2013 00:28:29 +0000
Message-ID: <2AA4F2B7B0341A4CA4DAB10D4EDA0D7C2322C978@xmb-aln-x02.cisco.com>
References: <20131213171608.10285.15352.idtracker@ietfa.amsl.com> <9D6C4F2B-25ED-4A2A-AE89-03122D7213B8@vpnc.org> <52AB6323.2050107@akr.io> <FB25564E-DD77-45B1-B9B7-605C6F581E70@checkpoint.com>
In-Reply-To: <FB25564E-DD77-45B1-B9B7-605C6F581E70@checkpoint.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.19.81.153]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "<iesg@ietf.org>" <iesg@ietf.org>, "<ietf@ietf.org>" <ietf@ietf.org>, "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] Last Call: <draft-ietf-tls-applayerprotoneg-03.txt> (Transport Layer Security (TLS) Application Layer Protocol Negotiation Extension) to Proposed Standard
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 14 Dec 2013 00:28:40 -0000
I fear that there is a perception that ALPN leaks information like a sieve and NPN doesn't leak at all. Both extensions leak information in plain text - they just leak different information. NPN leaks the entire list of protocols available on a host/port combination and encrypts the single protocol selected by the client. When watching a single TLS negotiation using NPN, a passive attacker knows all the protocols exposed by a server and therefore has a big head start on identifying the single protocol chosen by the client as well as assessing a server for potential vulnerabilities to exploit - effectively an instant port scan. In contrast ALPN has the client advertising the protocols it supports in plaintext and has the server's selection of a protocol returned in plaintext. In ALPN the entire list of protocols supported by a given host on a given port is never revealed during a single TLS negotiation. Also, I agree with Yoav's take on ALPN as simple networking and not a 'cryptographic protocol'. All ALPN does is provides the protocol to be used for a connection when the port number is no longer definitive. ALPN is a plain, vanilla extension - whereas NPN does introduce some non-standard twists to TLS extension practice in that the negotiation is not encapsulated in the hello messages and that it introduces a padded handshake message between the ChangeCipherSpec and Finished messages. Thanks, Stephan > -----Original Message----- > From: TLS [mailto:tls-bounces@ietf.org] On Behalf Of Yoav Nir > Sent: Friday, December 13, 2013 2:43 PM > To: Alyssa Rowan > Cc: <ietf@ietf.org>; <tls@ietf.org>; <iesg@ietf.org> > Subject: Re: [TLS] Last Call: <draft-ietf-tls-applayerprotoneg-03.txt> > (Transport Layer Security (TLS) Application Layer Protocol Negotiation > Extension) to Proposed Standard > > Hi Alyssa > > I mostly agree with the facts presented below. However: > > - I object to characterizing this as a "cryptographic protocol". This is simple > networking. Just as Ethernet tells us there's IP inside, and IP tells us there's > TCP inside, and TCP tells us about port 443 (which used to mean https), we > now have TLS tell us whether there's HTTP/1 or HTTP/2 inside. This is needed > because the HTTP specifications and implementations don't handle version > negotiation well. This can have security implications, but it's not a > cryptographic protocol. > > - Mass surveillance is a concern. It is not the only concern. The IP address of > the server I'm accessing leaks far more important information then whether > I'm using HTTP/1 or HTTP/2. This may also leak the browser version, but that > can also be readily recognized by looking at the ciphersuite list. Sure, others > (including me) raised all sorts of possibilities for extra used for ALPN. For > now, there's only the two versions of HTTP. We haven't heard anyone > explain what good knowing the version of HTTP does to a nation state > adversary. > > - The chairs did not ignore the requests. They rejected them. You can still > disagree. One thing is missing from the account of the hum at IETF 87. Yes, > there were some voices for each proposal, and that does not a consensus > make. But then Sean asked a different question, and got overwhelming > support for the statement that reaching a decision right then was important, > and that we didn't want to wait and discuss it more. That is why the choice > between them was done as an almost vote - nearly all of us at the time > preferred to get *a* decision rather than keep hashing the subject over and > over again. Rolling back, as people are suggesting now, runs contrary to that > consensus. > > - I've read that message suggesting the chairs had conflict of interest. There's > no question the chairs worked to rush this decision, but my memory is that > they mostly wanted to avoid accepting this work item at all. Having accepted > it, they may have had a bias for less radical changes, but I don't remember > any "railroading". > > While I prefer ALPN, I wouldn't consider it tragic to have had NPN. But we (in > the sense of the IETF, mostly the httpbis group) have a goal for a feature > complete document for HTTP/2 with multiple interoperable implementations > in the wild. This requires the negotiation part to be done. Rolling back the TLS > WG decision now puts that goal at risk, so I oppose it. > > Yoav > > > On Dec 13, 2013, at 9:42 PM, Alyssa Rowan <akr@akr.io> wrote: > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA512 > > > > On 13/12/2013 17:27, Paul Hoffman wrote: > > > >> A hum was taken at IETF 87 for the WG to pick between this proposal > >> and another; there were many hums in the room for each, with more for > >> this proposal. That hum was not taken to the WG mailing list. Since > >> then, many people have given strong reasons to prefer the other > >> proposal for technical reasons. > > > > Strongly seconded. This cryptographic protocol is not ready yet, and > > requires careful reconsideration on-list, and at the very least a > > public on-list call for consensus - which it does not seem to have > > received - before deciding whether it is appropriate to proceed. > > > > * At IETF 88's Technical Plenary, serious concerns were raised about > > mass surveillance of data and metadata by Nation State Adversaries. > > > > * Decisions were made at IETF 88, with overwhelming consensus, that > > new protocols MUST consider the impact they have on mass surveillance. > > > > * ALPN has no such consideration. It leaks plaintext metadata which > > its competitor, NPN, encrypts. This makes ALPN quantitatively more > > vulnerable to passive attackers, including Nation State Adversaries. > > [It may be that a future TLS 1.3 can encrypt the whole ClientHello; > > but that is not the current state-of-play. As it stands, it would be > > plaintext.] > > > > * Profound concerns have been raised about the protocol and the voting > > process. A call has been made for at the very least the opportunity > > to stop, rewind, and rethink whether ALPN is appropriate, and for a > > new consensus call. > > <https://www.ietf.org/mail-archive/web/tls/current/msg10892.html> > > > > * The chairs and AD have refused, and simply ignored the concerns. > > <https://www.ietf.org/mail-archive/web/tls/current/msg10947.html> > > <https://www.ietf.org/mail-archive/web/tls/current/msg10948.html> > > > > * It is publicly known that Nation State Adversaries have attempted > > to, and in some cases succeeded in, weakening or backdooring > > cryptographic standards. TLS has very likely been a main target of > > this, as the most-used cryptographic standard on the internet. > > > > <http://www.nytimes.com/interactive/2013/09/05/us/documents-reveal- > nsa > > -campaign-against-encryption.html> > > > > * Concerns have been raised that one or more of the chairs or AD may > > have a conflict of interest and appear to be railroading the process. > > <https://www.ietf.org/mail-archive/web/tls/current/msg10943.html> > > > > * As discussed at the IETF 88 Plenary, especially in light of the > > Snowden BULLRUN disclosures, it is absolutely vital that > > cryptographic standards such as TLS are devised openly, > > transparently, and with clear, public consensus as being the best > > available solution. > > > > * That has not happened with the ALPN extension to date. > > > > Therefore, I second Brian's proposal for a new consensus call and > > discussion on ALPN, and Paul's appeal to the IETF LC: in my opinion, > > it is wholly premature to advance ALPN to Proposed Standard at this time. > > > > - -- > > /akr > > -----BEGIN PGP SIGNATURE----- > > > > > iQIcBAEBCgAGBQJSq2MjAAoJEOyEjtkWi2t6L0MQAIxsdB4aAZvw6XdiIttRzaHR > > bmvvGCScckyUfSFS6t2V36oxp9FNmkEzaXUTpUcRMrJsRlsXgjExlIsYKYqvtPzi > > > x8zPRyc2Yp61zTj2tZI0tlYDwQ3M53Pfy1br+0eLfqqy+dRaPsRyQWHi9FlMLU5u > > > eGaA1KMgUOAZSxNB9oliJOXmSj+DcQpcWpp+D3piYBSINUYrY3xtO31khhG0f > 8xX > > > EOLH7pMwVkyEhQOG83qA801Yt45j0cr6X7Wg34jFhCfCR1xQDbkMLabAXHYT > Wmdo > > > C4cmJQVTHgnYXiIPdwXR87iPpAevBNpoxNQzps1LoHYEM6xpqDwln9aExyaPA > iT6 > > > 4fV+Wr5C22H/Xh+wbkVFPRQEvZbbjDJKGSWyB0i6YKgmUxrF+VQHlJKFrS2Tw > Eni > > nmIIcFFN/bo2f8bwbtLf2bEQRAzz8R2N5gVeLQJcoWEz4lcl/1F2E82tZnd9ArLU > > > XGH5gawLh3bqLZRFUU0VfCYfQSrGy2PtIViyKSLKLCOlI7onL9CGB3jtSuqQDHe > p > > > 8h3yeSk68d0gVVLmRUmx9aZMbOivZOP54t+Q8wwtluuHnGKdN2NU3oAFSf > mDKcRG > > > cEWsddc44tF1eANVWXxJsHe8LvxUA6UCvI19kLxuNcV4RL8lCzWr38YaUVRpqX > by > > cYdzEMv6nqKpAynigGgh > > =u0As > > -----END PGP SIGNATURE----- > > _______________________________________________ > > TLS mailing list > > TLS@ietf.org > > https://www.ietf.org/mailman/listinfo/tls > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls
- [TLS] Last Call: <draft-ietf-tls-applayerprotoneg… The IESG
- Re: [TLS] Last Call: <draft-ietf-tls-applayerprot… Paul Hoffman
- Re: [TLS] Last Call: <draft-ietf-tls-applayerprot… Alyssa Rowan
- Re: [TLS] Last Call: <draft-ietf-tls-applayerprot… Yoav Nir
- Re: [TLS] Last Call: <draft-ietf-tls-applayerprot… Martin Thomson
- Re: [TLS] Last Call: <draft-ietf-tls-applayerprot… Stephan Friedl (sfriedl)
- Re: [TLS] Last Call: <draft-ietf-tls-applayerprot… Watson Ladd
- Re: [TLS] Last Call: <draft-ietf-tls-applayerprot… Alyssa Rowan
- Re: [TLS] Last Call: <draft-ietf-tls-applayerprot… Martin Thomson
- Re: [TLS] Last Call: <draft-ietf-tls-applayerprot… Nikos Mavrogiannopoulos
- Re: [TLS] Last Call: <draft-ietf-tls-applayerprot… Alyssa Rowan
- Re: [TLS] Last Call: <draft-ietf-tls-applayerprot… Yoav Nir
- Re: [TLS] Last Call: <draft-ietf-tls-applayerprot… Alyssa Rowan
- Re: [TLS] Last Call: <draft-ietf-tls-applayerprot… Randy Presuhn