Re: [TLS] Request for review: Next Protocol Negotiation Extension

Juho Vähä-Herttua <juhovh@iki.fi> Wed, 18 August 2010 09:36 UTC

Mime-Version: 1.0 (Apple Message framework v1081)
Content-Type: multipart/signed; boundary="Apple-Mail-1-1021833375"; protocol="application/pkcs7-signature"; micalg="sha1"
From: Juho Vähä-Herttua <juhovh@iki.fi>
In-Reply-To: <AANLkTi=9TLG4f5eZ6h6duYKvcVueT53H26WNZpWV6TKS@mail.gmail.com>
Date: Wed, 18 Aug 2010 12:37:07 +0300
Message-Id: <F91CB64B-E0F6-42B7-B91B-F9F7464709E1@iki.fi>
References: <AANLkTi=5H_0hGzxMmfNU0hLS=5psW6J3c2to756OT--7@mail.gmail.com> <4C69938A.9080808@gnutls.org> <AANLkTin3eQHNJPuVuVw09FbPUF4RBk7n9RFbc7EaFbM+@mail.gmail.com> <AANLkTi=dfCZNndm678OFkCZdzRhzfmRvBmZVLUD5-ueF@mail.gmail.com> <4C6AB936.1070801@extendedsubset.com> <AANLkTimgjqQMdwqL_xZXGSG5hSMLqDtYH62t698e_hx9@mail.gmail.com> <4C6AD7EA.4040307@extendedsubset.com> <000401cb3e4f$456f6d60$d04e4820$@briansmith.org> <4C6B1BAA.5060303@pobox.com> <AANLkTi=QzEmzuhX=rKkTFjVvWxP5r_0zcVHq00L-4JoS@mail.gmail.com> <4C6B8189.5080406@extendedsubset.com> <AANLkTi=9TLG4f5eZ6h6duYKvcVueT53H26WNZpWV6TKS@mail.gmail.com>
To: Adam Barth <ietf@adambarth.com>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Request for review: Next Protocol Negotiation Extension
Precedence: list

On 18.8.2010, at 11.42, Adam Barth wrote:
>>>> Rather than opaque<0..255>  we need defined encoded values. If not, as
>>>> someone suggested, using existing port assignments, then perhaps a
>>>> string.
>>>> These values should be assigned by IANA. There should be a convention for
>>>> private-use and experimental identifiers. The valid characters,
>>>> whitespace
>>>> rules, and the exact method of string comparison must be defined.
>>> 
>>> I believe that's how the extension works.
>> 
>> I believe in the I-D, and it says:
>> 
>>>    struct {
>>>      opaque selected_protocol<0..255>;
>>>      opaque padding<0..255>;
>>>    } NextProtocol;
>> 
>> There's no description of the contents of the selected_protocol and padding
>> elements!
> 
> Thanks for your feedback.  This looks to be an area in which we can
> improve the extension.

This is a serious concern so far, since if the selected_protocol is not very well defined, two different users of the NPN extension might be conflicting. I don't know if using the port assignments is a good idea, since there are many undocumented and conflicting port uses as well. On the other hand a string identifier just feels a bit dirty...

>>>> But if it requires a software (if not hardware) upgrade to support the
>>>> extension, wouldn't that just encourage deployments to use plain HTTP?
>>> 
>>> Plain HTTP does not support the use cases WebSockets supports.  If it
>>> did, there would be no need to invest in WebSockets.
>> 
>> I thought WebSockets could begin a handshake looking sorta like plain HTTP?
> 
> In my opinion, that handshake is garbage (to use your term).  More
> seriously, I believe we can achieve better security by using TLS+NPN
> instead of the hacky nonce/MD5 handshake that "sorta" looks like plain
> HTTP.

If that handshake is garbage, are there similar plans to "fix" the plain HTTP version of WebSockets, or is the plan that NPN would be used with TLS and the old handshake is used with HTTP? This sounds like it makes the life of WebSockets implementors a much harder, since they have to consider two completely different schemes, wouldn't it?

Since the plan of NPN is to improve the security of WebSockets, what kind of attacks it protects against, compared to simply having the HTTP style handshake negotiation inside a secure TLS connection? I understand that the protocol is much "cleaner" in a way with NPN, but in case it is to be used the earlier concerns about selecting a correct certificate based on the protocol type are valid as well. I think having the NextProtocol handshake message before the ChangeCipherSpec and using renegotiation in case the contents need to be protected could be considered.

Sorry if some questions are already answered, this is a long thread and I haven't read all the messages that carefully. I'm just trying to sum up here what I've seen so far.

Juho

Attachment: smime.p7s

[TLS] Request for review: Next Protocol Negotiati… Adam Barth
Re: [TLS] Request for review: Next Protocol Negot… Eric Rescorla
Re: [TLS] Request for review: Next Protocol Negot… Adam Langley
Re: [TLS] Request for review: Next Protocol Negot… Michael D'Errico
Re: [TLS] Request for review: Next Protocol Negot… Adam Langley
Re: [TLS] Request for review: Next Protocol Negot… Brian Smith
Re: [TLS] Request for review: Next Protocol Negot… Michael D'Errico
Re: [TLS] Request for review: Next Protocol Negot… Marsh Ray
Re: [TLS] Request for review: Next Protocol Negot… Peter Sylvester
Re: [TLS] Request for review: Next Protocol Negot… Brian Smith
Re: [TLS] Request for review: Next Protocol Negot… Nikos Mavrogiannopoulos
Re: [TLS] Request for review: Next Protocol Negot… Adam Langley
Re: [TLS] Request for review: Next Protocol Negot… Adam Langley
Re: [TLS] Request for review: Next Protocol Negot… Brian Smith
Re: [TLS] Request for review: Next Protocol Negot… Brian Smith
Re: [TLS] Request for review: Next Protocol Negot… Adam Langley
Re: [TLS] Request for review: Next Protocol Negot… Adam Barth
Re: [TLS] Request for review: Next Protocol Negot… Martin Rex
Re: [TLS] Request for review: Next Protocol Negot… Michael D'Errico
Re: [TLS] Request for review: Next Protocol Negot… Steingruebl, Andy
Re: [TLS] Request for review: Next Protocol Negot… Eric Rescorla
Re: [TLS] Request for review: Next Protocol Negot… Michael D'Errico
Re: [TLS] Request for review: Next Protocol Negot… Geoffrey Keating
Re: [TLS] Request for review: Next Protocol Negot… Martin Rex
Re: [TLS] Request for review: Next Protocol Negot… Nikos Mavrogiannopoulos
Re: [TLS] Request for review: Next Protocol Negot… Marsh Ray
Re: [TLS] Request for review: Next Protocol Negot… Adam Barth
Re: [TLS] Request for review: Next Protocol Negot… Brian Smith
Re: [TLS] Request for review: Next Protocol Negot… Marsh Ray
Re: [TLS] Request for review: Next Protocol Negot… Adam Langley
Re: [TLS] Request for review: Next Protocol Negot… Marsh Ray
Re: [TLS] Request for review: Next Protocol Negot… Brian Smith
Re: [TLS] Request for review: Next Protocol Negot… Michael D'Errico
Re: [TLS] Request for review: Next Protocol Negot… Marsh Ray
Re: [TLS] Request for review: Next Protocol Negot… Adam Barth
Re: [TLS] Request for review: Next Protocol Negot… Michael D'Errico
Re: [TLS] Request for review: Next Protocol Negot… Adam Barth
Re: [TLS] Request for review: Next Protocol Negot… Marsh Ray
Re: [TLS] Request for review: Next Protocol Negot… Adam Barth
Re: [TLS] Request for review: Next Protocol Negot… Juho Vähä-Herttua
Re: [TLS] Request for review: Next Protocol Negot… Brian Smith
Re: [TLS] Request for review: Next Protocol Negot… Marsh Ray
Re: [TLS] Request for review: Next Protocol Negot… Adam Langley
Re: [TLS] Request for review: Next Protocol Negot… Adam Langley
Re: [TLS] Request for review: Next Protocol Negot… Michael D'Errico
Re: [TLS] Request for review: Next Protocol Negot… Adam Langley
Re: [TLS] Request for review: Next Protocol Negot… Michael D'Errico
Re: [TLS] Request for review: Next Protocol Negot… Adam Langley
Re: [TLS] Request for review: Next Protocol Negot… Michael D'Errico
Re: [TLS] Request for review: Next Protocol Negot… Nathaniel W Filardo
Re: [TLS] Request for review: Next Protocol Negot… Marsh Ray
Re: [TLS] Request for review: Next Protocol Negot… Adam Barth
Re: [TLS] Request for review: Next Protocol Negot… Michael D'Errico
Re: [TLS] Request for review: Next Protocol Negot… Marsh Ray
Re: [TLS] Request for review: Next Protocol Negot… Nathaniel W Filardo
Re: [TLS] Request for review: Next Protocol Negot… Martin Rex
Re: [TLS] Request for review: Next Protocol Negot… Peter Gutmann
Re: [TLS] Request for review: Next Protocol Negot… Marsh Ray
Re: [TLS] Request for review: Next Protocol Negot… Martin Rex
Re: [TLS] Request for review: Next Protocol Negot… Marsh Ray
Re: [TLS] Request for review: Next Protocol Negot… Michael D'Errico

Re: [TLS] Request for review: Next Protocol Negotiation Extension

Attachment: smime.p7s