Re: [TLS] How ALPN makes the http2-tls-relaxed option less secure, compared to NPN (was Re: ALPN concerns)
Brian Smith <brian@briansmith.org> Mon, 09 December 2013 16:10 UTC
Return-Path: <brian@briansmith.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0281D1AE2DC for <tls@ietfa.amsl.com>; Mon, 9 Dec 2013 08:10:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.979
X-Spam-Level:
X-Spam-Status: No, score=-1.979 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z9iTF8zGciin for <tls@ietfa.amsl.com>; Mon, 9 Dec 2013 08:10:33 -0800 (PST)
Received: from mail-qe0-f54.google.com (mail-qe0-f54.google.com [209.85.128.54]) by ietfa.amsl.com (Postfix) with ESMTP id 0274A1ADFCE for <tls@ietf.org>; Mon, 9 Dec 2013 08:10:32 -0800 (PST)
Received: by mail-qe0-f54.google.com with SMTP id cy11so2898715qeb.41 for <tls@ietf.org>; Mon, 09 Dec 2013 08:10:27 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=snZgCuC622gkyjVML4y6IWJRAkHsxr68/W4ucS1uiKo=; b=WPZ19o+fBAHfHMKIPSUJ/l5wwz9AEV8kc4Ky7v6W61UBv/jawR0VbYRnwQTBRY9LT6 X1e8kX5NPHeOVGXpi/HYatiZc++uk83WwAzI8Bi7QtY7ym37cpgEzKJJKPHMWREzK7c+ 3TjPavY+oP6Lr1LvEGGROWELI4Q2/NICbANmqyQBQ2RsKxa7Xzr46KSJs3ILP7dWb/rg MiKmGr+kSUykz5dBAsBW1e/IjCu2nb76mnBDAt8jRUzARmGtP3GNgV9/gpBVNtlV7F/I lk2stwA+eus2GfRWnWWgo3fOIS8XcWufa82+cJTIW4kWVUseCUdxdgKUg8j7+xf43sxn o0Tw==
X-Gm-Message-State: ALoCoQk3bJhPcqDtLRTY57zWi0xt1UXObDJTMm4CR0nRjLqR22tZoDc6NE2yQWadUgwUFVqbqv1u
MIME-Version: 1.0
X-Received: by 10.224.171.70 with SMTP id g6mr26182333qaz.80.1386605427830; Mon, 09 Dec 2013 08:10:27 -0800 (PST)
Received: by 10.224.40.11 with HTTP; Mon, 9 Dec 2013 08:10:27 -0800 (PST)
X-Originating-IP: [12.216.141.3]
In-Reply-To: <CALR0uiLivdKPbvWtNZCWaiFM0UFSJ-UBb2=wOc+vSodqEqgWFw@mail.gmail.com>
References: <CAFewVt5fNk9HF0uuE1Z_wD=8cme1eCuU8=VJU3RaLLCoPi2p+w@mail.gmail.com> <CALR0uiLivdKPbvWtNZCWaiFM0UFSJ-UBb2=wOc+vSodqEqgWFw@mail.gmail.com>
Date: Mon, 09 Dec 2013 08:10:27 -0800
Message-ID: <CAFewVt4ws683eN8tzh1h2O+BGveEH-Efnyat4bHgkExMfX5trg@mail.gmail.com>
From: Brian Smith <brian@briansmith.org>
To: Alfredo Pironti <alfredo@pironti.eu>
Content-Type: text/plain; charset="UTF-8"
Cc: Peter Gutmann <p.gutmann@auckland.ac.nz>, "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] How ALPN makes the http2-tls-relaxed option less secure, compared to NPN (was Re: ALPN concerns)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Dec 2013 16:10:35 -0000
On Mon, Dec 9, 2013 at 7:23 AM, Alfredo Pironti <alfredo@pironti.eu> wrote: >> The case where the server does not use a certificate that the client >> would verify correctly as it would in the "normal" HTTPS case is not >> interesting. However, the case where opportunistic encryption is being >> used with a certificate that *is* valid (as defined by RFC5280, et >> al.) is interesting. > > I think this pre-condition makes your counter-example invalid. > A client that only accepts valid certificates is in practice only > implementing http2, not http2-tls-relaxed, in that client's behavior > doesn't change. Let's say the client is connecting to example.org:443 using TLS. There are two interesting possibilities: 1. The client could be resolving an http:// link that uses opportunistic encryption. In this case, if the client supports opportunistic encryption, the client would support "http2-tls-relaxed" and "http2-tls" (and "http1-tls") and a MitM attack, if attempted, would succeed. 2. The client could be resolving an https:// link. In this case, the client would only support "http2-tls" (and "http1-tls") and a MitM attack, if attempted, would fail in a end-user-notable way. With ALPN, it is trivial for the MitM to determine which case it is and act accordingly. With NPN, it is not trivial (it requires correlating data from multiple connections) and in many cases it may be impossible (e.g. when an HTTP cache has stored the response with the alternate-service upgrade header). > Indeed, but under the assumption that only valid certificates are > accepted, the behaviors coincide to "http2". In the case of opportunistic encryption, we would support both valid and invalid certificates. In the case of normal "http2-tls" and "http1-tls", we would support only valid certificates. Cheers, Brian -- Mozilla Networking/Crypto/Security (Necko/NSS/PSM)
- [TLS] How ALPN makes the http2-tls-relaxed option… Brian Smith
- Re: [TLS] How ALPN makes the http2-tls-relaxed op… Alfredo Pironti
- Re: [TLS] How ALPN makes the http2-tls-relaxed op… Brian Smith
- Re: [TLS] How ALPN makes the http2-tls-relaxed op… Alfredo Pironti
- Re: [TLS] How ALPN makes the http2-tls-relaxed op… Watson Ladd
- Re: [TLS] How ALPN makes the http2-tls-relaxed op… Stephen Farrell
- Re: [TLS] How ALPN makes the http2-tls-relaxed op… Martin Thomson
- Re: [TLS] How ALPN makes the http2-tls-relaxed op… Andrei Popov
- Re: [TLS] How ALPN makes the http2-tls-relaxed op… Martin Thomson
- Re: [TLS] How ALPN makes the http2-tls-relaxed op… Eric Rescorla
- Re: [TLS] How ALPN makes the http2-tls-relaxed op… Brian Smith
- Re: [TLS] How ALPN makes the http2-tls-relaxed op… Martin Thomson