Re: [TLS] How ALPN makes the http2-tls-relaxed option less secure, compared to NPN (was Re: ALPN concerns)

Brian Smith <brian@briansmith.org> Mon, 09 December 2013 16:10 UTC

Return-Path: <brian@briansmith.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0281D1AE2DC for <tls@ietfa.amsl.com>; Mon, 9 Dec 2013 08:10:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.979
X-Spam-Level:
X-Spam-Status: No, score=-1.979 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z9iTF8zGciin for <tls@ietfa.amsl.com>; Mon, 9 Dec 2013 08:10:33 -0800 (PST)
Received: from mail-qe0-f54.google.com (mail-qe0-f54.google.com [209.85.128.54]) by ietfa.amsl.com (Postfix) with ESMTP id 0274A1ADFCE for <tls@ietf.org>; Mon, 9 Dec 2013 08:10:32 -0800 (PST)
Received: by mail-qe0-f54.google.com with SMTP id cy11so2898715qeb.41 for <tls@ietf.org>; Mon, 09 Dec 2013 08:10:27 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=snZgCuC622gkyjVML4y6IWJRAkHsxr68/W4ucS1uiKo=; b=WPZ19o+fBAHfHMKIPSUJ/l5wwz9AEV8kc4Ky7v6W61UBv/jawR0VbYRnwQTBRY9LT6 X1e8kX5NPHeOVGXpi/HYatiZc++uk83WwAzI8Bi7QtY7ym37cpgEzKJJKPHMWREzK7c+ 3TjPavY+oP6Lr1LvEGGROWELI4Q2/NICbANmqyQBQ2RsKxa7Xzr46KSJs3ILP7dWb/rg MiKmGr+kSUykz5dBAsBW1e/IjCu2nb76mnBDAt8jRUzARmGtP3GNgV9/gpBVNtlV7F/I lk2stwA+eus2GfRWnWWgo3fOIS8XcWufa82+cJTIW4kWVUseCUdxdgKUg8j7+xf43sxn o0Tw==
X-Gm-Message-State: ALoCoQk3bJhPcqDtLRTY57zWi0xt1UXObDJTMm4CR0nRjLqR22tZoDc6NE2yQWadUgwUFVqbqv1u
MIME-Version: 1.0
X-Received: by 10.224.171.70 with SMTP id g6mr26182333qaz.80.1386605427830; Mon, 09 Dec 2013 08:10:27 -0800 (PST)
Received: by 10.224.40.11 with HTTP; Mon, 9 Dec 2013 08:10:27 -0800 (PST)
X-Originating-IP: [12.216.141.3]
In-Reply-To: <CALR0uiLivdKPbvWtNZCWaiFM0UFSJ-UBb2=wOc+vSodqEqgWFw@mail.gmail.com>
References: <CAFewVt5fNk9HF0uuE1Z_wD=8cme1eCuU8=VJU3RaLLCoPi2p+w@mail.gmail.com> <CALR0uiLivdKPbvWtNZCWaiFM0UFSJ-UBb2=wOc+vSodqEqgWFw@mail.gmail.com>
Date: Mon, 9 Dec 2013 08:10:27 -0800
Message-ID: <CAFewVt4ws683eN8tzh1h2O+BGveEH-Efnyat4bHgkExMfX5trg@mail.gmail.com>
From: Brian Smith <brian@briansmith.org>
To: Alfredo Pironti <alfredo@pironti.eu>
Content-Type: text/plain; charset=UTF-8
Cc: Peter Gutmann <p.gutmann@auckland.ac.nz>, "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] How ALPN makes the http2-tls-relaxed option less secure, compared to NPN (was Re: ALPN concerns)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Dec 2013 16:10:35 -0000

On Mon, Dec 9, 2013 at 7:23 AM, Alfredo Pironti <alfredo@pironti.eu> wrote:
>> The case where the server does not use a certificate that the client
>> would verify correctly as it would in the "normal" HTTPS case is not
>> interesting. However, the case where opportunistic encryption is being
>> used with a certificate that *is* valid (as defined by RFC5280, et
>> al.) is interesting.
>
> I think this pre-condition makes your counter-example invalid.
> A client that only accepts valid certificates is in practice only
> implementing http2, not http2-tls-relaxed, in that client's behavior
> doesn't change.

Let's say the client is connecting to example.org:443 using TLS. There
are two interesting possibilities:

1. The client could be resolving an http:// link that uses
opportunistic encryption. In this case, if the client supports
opportunistic encryption, the client would support "http2-tls-relaxed"
and "http2-tls" (and "http1-tls") and a MitM attack, if attempted,
would succeed.

2. The client could be resolving an https:// link. In this case, the
client would only support "http2-tls" (and "http1-tls") and a MitM
attack, if attempted, would fail in a end-user-notable way.

With ALPN, it is trivial for the MitM to determine which case it is
and act accordingly. With NPN, it is not trivial (it requires
correlating data from multiple connections) and in many cases it may
be impossible (e.g. when an HTTP cache has stored the response with
the alternate-service upgrade header).

> Indeed, but under the assumption that only valid certificates are
> accepted, the behaviors coincide to "http2".

In the case of opportunistic encryption, we would support both valid
and invalid certificates. In the case of normal "http2-tls" and
"http1-tls", we would support only valid certificates.

Cheers,
Brian


-- 
Mozilla Networking/Crypto/Security (Necko/NSS/PSM)