Re: [TLS] ALPN concerns

Andrei Popov <Andrei.Popov@microsoft.com> Tue, 19 November 2013 19:42 UTC

Return-Path: <Andrei.Popov@microsoft.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 038A01AE1D4 for <tls@ietfa.amsl.com>; Tue, 19 Nov 2013 11:42:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EGIjo-KVvf8Z for <tls@ietfa.amsl.com>; Tue, 19 Nov 2013 11:42:16 -0800 (PST)
Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2lp0244.outbound.protection.outlook.com [207.46.163.244]) by ietfa.amsl.com (Postfix) with ESMTP id 9CB6A1AE1AF for <tls@ietf.org>; Tue, 19 Nov 2013 11:42:16 -0800 (PST)
Received: from BL2PR03MB194.namprd03.prod.outlook.com (10.255.230.142) by BL2PR03MB193.namprd03.prod.outlook.com (10.255.230.141) with Microsoft SMTP Server (TLS) id 15.0.820.5; Tue, 19 Nov 2013 19:42:08 +0000
Received: from BL2PR03MB194.namprd03.prod.outlook.com ([169.254.14.47]) by BL2PR03MB194.namprd03.prod.outlook.com ([169.254.14.145]) with mapi id 15.00.0820.005; Tue, 19 Nov 2013 19:42:08 +0000
From: Andrei Popov <Andrei.Popov@microsoft.com>
To: Brian Smith <brian@briansmith.org>
Thread-Topic: [TLS] ALPN concerns
Thread-Index: Ac7avMo2EJNfUuzvrkqBLee9/27ncAAXTtmAAnSaQgAAG44eMA==
Date: Tue, 19 Nov 2013 19:42:08 +0000
Message-ID: <e343ad5e45ac42ad8114ac4ebc09a1ca@BL2PR03MB194.namprd03.prod.outlook.com>
References: <9A043F3CF02CD34C8E74AC1594475C736540E268@uxcn10-tdc06.UoA.auckland.ac.nz> <E774C81546D66E429BF56B1474C7EBBA012CE328CB@SEAEMBX01.olympus.F5Net.com> <CAFewVt5K07p4UTzpkaXMxscbUuBo-jNB=VGF_cscGY3ZhPss-Q@mail.gmail.com>
In-Reply-To: <CAFewVt5K07p4UTzpkaXMxscbUuBo-jNB=VGF_cscGY3ZhPss-Q@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [2001:4898:80e8:ed31::2]
x-forefront-prvs: 0035B15214
x-forefront-antispam-report: SFV:NSPM; SFS:(52544002)(24454002)(377454003)(51704005)(51444003)(164054003)(13464003)(45984002)(199002)(189002)(87936001)(51856001)(74366001)(87266001)(2656002)(33646001)(54356001)(76482001)(85306002)(50986001)(81342001)(81542001)(46102001)(53806001)(77096001)(81816001)(56816003)(76796001)(56776001)(76786001)(54316002)(81686001)(15975445006)(63696002)(79102001)(74706001)(74876001)(4396001)(19580395003)(19580405001)(83322001)(65816001)(80022001)(59766001)(77982001)(80976001)(69226001)(49866001)(47446002)(47736001)(76576001)(74662001)(74502001)(47976001)(83072001)(31966008)(74316001)(3826001)(24736002); DIR:OUT; SFP:; SCL:1; SRVR:BL2PR03MB193; H:BL2PR03MB194.namprd03.prod.outlook.com; CLIP:2001:4898:80e8:ed31::2; FPR:; RD:InfoNoRecords; A:1; MX:1; LANG:en;
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
Cc: "<tls@ietf.org>" <tls@ietf.org>, Peter Gutmann <p.gutmann@auckland.ac.nz>
Subject: Re: [TLS] ALPN concerns
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Nov 2013 19:42:20 -0000

Hi Brian,

I totally agree that we need to encrypt more information in the TLS handshake, including the client cert and the contents of various extensions, such as SNI and ALPN. Unfortunately, the only way to make this information confidential in the existing versions of TLS is to incur additional round-trips (by using renegotiation, or otherwise exchanging messages after the TLS handshake is complete). This is one of the reasons why the TLS WG is pushing hard to make progress on TLS1.3.

> As far as I've been led to believe, ALPN exists primarily to allow MitM to more easily inspect what protocol the application is speaking and possibly block the application, with as low of a cost to the MitM as possible--i.e.
> exactly the opposite goal of everything we discussed at IETF88 in perpass and in other discussions.

No, ALPN exists primarily to negotiate an application protocol without incurring extra round-trips, to allow the server to pick the application protocol and present the corresponding identity, and to align with the existing TLS extensions.

>I think that in many cases, traffic analysis that relies on timing information will be able to tell with a high degree of accuracy which protocol has been selected for use on the connection. However, traffic analysis cannot tell us what protocols were offered but *not* selected.

Correct, and NPN offers the list of the application protocols in clear-text, so it does not solve this problem.

> I will be sharing a write-up of how this would work shortly. IMO, it is much better to have the long-term solution for protocol and settings negotiation be in the application layer, if it is reasonable to do so.
> I am not one of those people that yell "layer violation" at everything, but if we can avoid later violations in the long term, then we should do so.

If we can avoid application protocol negotiation at the TLS layer without incurring additional round-trips, I am in full support. Looking forward to the write-up.

Thanks,

Andrei

-----Original Message-----
From: TLS [mailto:tls-bounces@ietf.org] On Behalf Of Brian Smith
Sent: Monday, November 18, 2013 9:59 PM
To: Xiaoyong Wu
Cc: <tls@ietf.org>rg>; Peter Gutmann
Subject: Re: [TLS] ALPN concerns

On Wed, Nov 6, 2013 at 10:00 AM, Xiaoyong Wu <X.Wu@f5.com> wrote:
> As I am explaining this in detail, I would say that another work around on this would be making a client hello that exceeds 512 in length.

Xiaoyong, thank you very much for sharing that with us! That is incredibly useful.

In the thread "Final nail in the coffin for cleartext SNI/ALPN in TLS 1.3," Yoav Nir <ynir@checkpoint.com> wrote:
> I think it would actually be worse than that. Browsers don't want 
> reconnect fallback. So whatever TLS 1.3 looks like, the ClientHello 
> that browsers send will be such that it can be accepted by at least 
> TLS 1.0 servers (and there are plenty of those around). And as others 
> have mentioned, SNI is needed in many cases. Without it, 
> https://www.gmail.com will give you a certificate error.
>
> So you might have a clientHello that leads to super-duper TLS 1.3, but 
> to avoid the need for fallback, you include the SNI (and presumably 
> ALPN) in the ClientHello.

This is exactly right for SNI. Even if we define a new replacement for SNI, browsers will still be sending SNI in the clear for the next 10 years. We should still try to work toward a long-term solution to that problem, but it isn't something that can be solved in the short term.

During the TLS WG session at IETF88, somebody commented that TLS 1.3 is supposed to solve the problem of encrypting information in the ClientHello, so the plaintext vs. cleartext issue shouldn't be a concern for ALPN. But, for the same reason we can't have any near-term solution for encrypting SNI in the ClientHello, we won't have any near-term solution for encrypting ALPN in the ClientHello that would meet browsers needs.

Again, I want to emphasize that Firefox ALREADY solves this problem, even without TLS 1.3, by implementing NPN and avoiding ALPN. If other browsers just turned off ALPN then the problem of how to hide the protocol negotiation information would be solved. As far as I've been led to believe, ALPN exists primarily to allow MitM to more easily inspect what protocol the application is speaking and possibly block the application, with as low of a cost to the MitM as possible--i.e.
exactly the opposite goal of everything we discussed at IETF88 in perpass and in other discussions. I still have a lot of trouble understanding how we can agree in the IETF as a whole that we should be trying to make attacks more difficult, even if we can't make them impossible, but here in the TLS WG, we are literally going out of our way to leak information in the clear unnecessarily.

I think that in many cases, traffic analysis that relies on timing information will be able to tell with a high degree of accuracy which protocol has been selected for use on the connection. However, traffic analysis cannot tell us what protocols were offered but *not* selected. Further, traffic analysis based on timing is more expensive and less reliable than having the information given on a silver platter. In some cases, traffic analysis vs. explicit plaintext leakage might be the difference between reasonable doubt or not. In other cases, the difficulty of discerning two protocols--whether you are sending email (SMTP) or pinging the server to retrieve email
(IMAP) vs loading the login page (HTTP)--may increase the storage and processing cost by an order of magnitude or more, if we can get it to work. Personally, I'm disappointed to hear the arguments that it is not worthwhile to consider trying to solve that problem in the context of the design of ALPN, because we worry it is unsolvable. I feel like we haven't even started trying to solve it yet, so I don't understand why we're giving up so easily.

Further, I don't see a need to rush to a conclusion on ALPN for HTTP/2 given this chart:
https://github.com/http2/http2-spec/wiki/Implementations

At the time I write this, 11/13 support NPN. 6/13 support ALPN, and there are plenty of implementations that can interoperate. Literally, a higher number of products would have to do extra work to reduce the privacy of their protocol and settings negotiation than the number of products that would need to flip a single bit (or less) to have a higher level of privacy protection for the protocol and settings negotiation. (Note that it isn't even clear what settings negotiation
HTTP/2 may add to the protocol negotiation step, so we cannot even debate how sensitive the information in that settings negotiation is when trying to determine if leaking application data in the ALPN extension is acceptable.)

Also note that the Mozilla line in the chart is a little misleading.
Patrick added ALPN support to a private copy of Firefox for the purpose of the interop testing, which is I support. However, Firefox doesn't actually support ALPN in our shipping product, only in Patrick's special build. And, I would very much like to keep it that way.

FWIW, I am working on an experiment for adding NPN support to Thunderbird (an email client based on Gecko, like Firefox), so that Thunderbird can speak SMTP, IMAP, POP, LDAP, and HTTP to a single server on a single port, https://example.org:443/. One purpose of this experiment is to demonstrate how we can get through networks that block, or charge extra money for, email protocols while still allowing HTTPS, without needing separate hostnames for each server. A second purpose is to evaluate whether there are effective ways of making side channel analysis for distinguishing the user's activity--sending email vs retrieving email, for example--or even what product the user is using--Thunderbird vs. Firefox--more difficult than we might first suspect. I would appreciate it if the working group could give me some more time to complete this experiment and/or help me with it, before completely giving up on trying to protect the protocol negotiation information in the handshake.

Also, if we can build a reliable 1-RTT handshake in TLS 1.3, then there may be a design that allows us to remove protocol negotiation from TLS completely, putting it back in the application layer. I will be sharing a write-up of how this would work shortly. IMO, it is much better to have the long-term solution for protocol and settings negotiation be in the application layer, if it is reasonable to do so.
I am not one of those people that yell "layer violation" at everything, but if we can avoid later violations in the long term, then we should do so.

All that said, I am very grateful to the F5 team for sharing the information to work around the interop issue that I originally complained about in my ALPN Concerns email during IETF88. Xiaoyong set a great example for us all and I hope that that kind of openness in sharing information continues here on this list.

Cheers,
Brian
--
Mozilla Networking/Crypto/Security (Necko/NSS/PSM) _______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls