Re: [TLS] Next Protocol Negotiation 03
Adam Langley <agl@chromium.org> Wed, 14 November 2012 22:51 UTC
Return-Path: <agl@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 19BC921F874A for <tls@ietfa.amsl.com>; Wed, 14 Nov 2012 14:51:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.977
X-Spam-Level:
X-Spam-Status: No, score=-102.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2XbhF0havJjI for <tls@ietfa.amsl.com>; Wed, 14 Nov 2012 14:51:40 -0800 (PST)
Received: from mail-ie0-f172.google.com (mail-ie0-f172.google.com [209.85.223.172]) by ietfa.amsl.com (Postfix) with ESMTP id 818E321F8721 for <tls@ietf.org>; Wed, 14 Nov 2012 14:51:40 -0800 (PST)
Received: by mail-ie0-f172.google.com with SMTP id 9so1579510iec.31 for <tls@ietf.org>; Wed, 14 Nov 2012 14:51:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=ZvYfqm6ZZKiFNhyAc4yn070uXKyzua0MFDmDirBOfLA=; b=PHPd/czcaHgVCptpJ5xXM+LJ7oo2A2WG7gHj81ot0fWH3vymWCoOw26xL2R2Luo2Tc 3pdgbDXvZEulAWSeAxV19DDUN7VVIE/mwGV6wFYzRZFSINX8t8nNUs50NH/bATN9jQ2l FEeFqPqeplUZCPtAnTzbIIdLx1Vj/4nXPn+WzPrmlZCF/NXoiQNjaHTWZiCb1RrdLIA8 4JxN0SWZtraUUYrxfsKWYBjylT2v2crIYJgEozTGHLpR5olZNfYpiwXKWaCc205Tf/fM A5I+9QIIduF+g66KemXSsNrbICTnR3TxitgpuSkKKydgwZgpGffCMQt24y1WUoqpYhym ewxg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :x-gm-message-state; bh=ZvYfqm6ZZKiFNhyAc4yn070uXKyzua0MFDmDirBOfLA=; b=TS/F8rA8NJplFtXXmlJWY/V/fvTd0dQQSKACrO7qxzAOXsRiaIiRnUII4Lu3XlG2zx 7ZzEwljfgCC9YNQeIAMeUWbqWc6vHhpFpSKW5stqmXEgusWtwLxyS3vHcm8v7gi9qs4F 9WvJcjEf7gF14EEDjDUvbSL1BxI4utQdxdT2wrDGAzib+z5LD6Xv5yw9VW5zmEBe+ZWE giVAmXje3sbFLjUBD0HrABpY1FLz9jTsfBuW/I/JzRFrNEjlgnz25/zJUl+K4YBdEePp S/TkC0R8EZAsp3wPdFO0UF7iE0gkZ0a1DMw2v++GDlzq4Hx5X2juXv6OqTKesqRDoJSr gvaw==
MIME-Version: 1.0
Received: by 10.50.0.204 with SMTP id 12mr838133igg.54.1352933499783; Wed, 14 Nov 2012 14:51:39 -0800 (PST)
Sender: agl@google.com
Received: by 10.231.85.9 with HTTP; Wed, 14 Nov 2012 14:51:39 -0800 (PST)
In-Reply-To: <f5178418cb4549fea8e210d6a3bc22d1@BN1PR03MB072.namprd03.prod.outlook.com>
References: <CAL9PXLy31VzxLidgOy64MnDAyRE=HU=hxyBXW1rgB+Xnd0vKjA@mail.gmail.com> <4F981528.9010903@gnutls.org> <CAL9PXLzWNTxOjRnVPk67anfAkWizagcAsWRWJM3ShY6oWv9PjA@mail.gmail.com> <4F985162.7040405@extendedsubset.com> <f5178418cb4549fea8e210d6a3bc22d1@BN1PR03MB072.namprd03.prod.outlook.com>
Date: Wed, 14 Nov 2012 17:51:39 -0500
X-Google-Sender-Auth: 2Jpvbs1PRoA8vohEmbFsk6FynT4
Message-ID: <CAL9PXLx4Qc_zjDWC2z_Gg-XAZ_VVNtBun9SpHFWe6Fgs=cpYiw@mail.gmail.com>
From: Adam Langley <agl@chromium.org>
To: Andrei Popov <Andrei.Popov@microsoft.com>
Content-Type: text/plain; charset="UTF-8"
X-Gm-Message-State: ALoCoQkDC3F+YZ5sg3zM9TZCTVMT5n0iYhX/J6O+544v17xF5wqtWHxwZk3Hl3ZQNyVaMUlU3AIMTYYWEoT2ogXXO2NC98npaSu0JENbhefwX4WTLxZJRBQXQaQOnzBOguTTNjyhgwEZ/hSwQo0d+/VY6NgTKOkWTjk3Rwfe3LwZvH27qfF9UU/G/cg2fV8O7LYxx5A1OTzT
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Next Protocol Negotiation 03
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Nov 2012 22:51:41 -0000
On Wed, Nov 14, 2012 at 3:31 PM, Andrei Popov <Andrei.Popov@microsoft.com> wrote: > A number of issues have been raised with regard to the TLS NPN Internet-Draft, including the downgrade attack described by Marsh. Is an updated draft in the works? I've nothing to add to -04 at the moment. I'm afraid you'll have to highlight the attack that you're referring to. Since the messages are covered by the Finished hash, there's no downgrade attack that doesn't also work against anything else in the handshake. The major point of contention that I'm aware of is the addition of encrypted extensions, rather than just negotiating in the client and server hello messages, in the clear. This is clearly additional complexity and the benefit is limited by the fact that the server still advertises in the clear. It's the best that can be done without adding additional round trips. On the complexity side, there haven't been any significant issues with implementations of the similar version of NPN that's currently used by SPDY, except in the case of one hardware accelerator product who had issues. They, however, appear to have figured it out. On the benefits side, although having the server advertise in the clear is unfortunate, that's only needed for supporting client fallback. If the client knows what protocol it supports, it can simply choose it and that choice is protected. Since we're in this position partly because TCP port numbers have become unusable, it seems to be the height of folly to create another cleartext selector and expect a different result. So those reasons, I believe that the current NPN design is the correct one. Cheers AGL
- [TLS] Next Protocol Negotiation 03 Adam Langley
- Re: [TLS] Next Protocol Negotiation 03 Yoav Nir
- Re: [TLS] Next Protocol Negotiation 03 Jack Lloyd
- Re: [TLS] Next Protocol Negotiation 03 Adam Langley
- Re: [TLS] Next Protocol Negotiation 03 Nikos Mavrogiannopoulos
- Re: [TLS] Next Protocol Negotiation 03 Marsh Ray
- Re: [TLS] Next Protocol Negotiation 03 Marsh Ray
- Re: [TLS] Next Protocol Negotiation 03 Adam Langley
- Re: [TLS] Next Protocol Negotiation 03 Michael D'Errico
- Re: [TLS] Next Protocol Negotiation 03 Nico Williams
- Re: [TLS] Next Protocol Negotiation 03 Adam Langley
- Re: [TLS] Next Protocol Negotiation 03 Peter Saint-Andre
- Re: [TLS] Next Protocol Negotiation 03 Michael D'Errico
- Re: [TLS] Next Protocol Negotiation 03 Nico Williams
- Re: [TLS] Next Protocol Negotiation 03 Adam Langley
- Re: [TLS] Next Protocol Negotiation 03 Nico Williams
- Re: [TLS] Next Protocol Negotiation 03 Marsh Ray
- Re: [TLS] Next Protocol Negotiation 03 Michael D'Errico
- Re: [TLS] Next Protocol Negotiation 03 Marsh Ray
- Re: [TLS] Next Protocol Negotiation 03 Martin Rex
- Re: [TLS] Next Protocol Negotiation 03 Adam Langley
- Re: [TLS] Next Protocol Negotiation 03 George Kadianakis
- Re: [TLS] Next Protocol Negotiation 03 Tom Ritter
- Re: [TLS] Next Protocol Negotiation 03 George Kadianakis
- Re: [TLS] Next Protocol Negotiation 03 Adam Langley
- Re: [TLS] Next Protocol Negotiation 03 Marsh Ray
- Re: [TLS] Next Protocol Negotiation 03 Wan-Teh Chang
- Re: [TLS] Next Protocol Negotiation 03 Marsh Ray
- Re: [TLS] Next Protocol Negotiation 03 Wan-Teh Chang
- Re: [TLS] Next Protocol Negotiation 03 Martin Rex
- Re: [TLS] Next Protocol Negotiation 03 Marsh Ray
- Re: [TLS] Next Protocol Negotiation 03 Ben Laurie
- Re: [TLS] Next Protocol Negotiation 03 Andrei Popov
- Re: [TLS] Next Protocol Negotiation 03 Adam Langley
- Re: [TLS] Next Protocol Negotiation 03 Andrei Popov
- Re: [TLS] Next Protocol Negotiation 03 Adam Langley
- Re: [TLS] Next Protocol Negotiation 03 Paul Hoffman
- Re: [TLS] Next Protocol Negotiation 03 Andrei Popov