IETF Logo Mail Archive

Re: [TLS] Next Protocol Negotiation 03

Adam Langley <agl@chromium.org> Wed, 14 November 2012 22:51 UTC

Return-Path: <agl@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 19BC921F874A for <tls@ietfa.amsl.com>; Wed, 14 Nov 2012 14:51:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.977
X-Spam-Level:
X-Spam-Status: No, score=-102.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2XbhF0havJjI for <tls@ietfa.amsl.com>; Wed, 14 Nov 2012 14:51:40 -0800 (PST)
Received: from mail-ie0-f172.google.com (mail-ie0-f172.google.com [209.85.223.172]) by ietfa.amsl.com (Postfix) with ESMTP id 818E321F8721 for <tls@ietf.org>; Wed, 14 Nov 2012 14:51:40 -0800 (PST)
Received: by mail-ie0-f172.google.com with SMTP id 9so1579510iec.31 for <tls@ietf.org>; Wed, 14 Nov 2012 14:51:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=ZvYfqm6ZZKiFNhyAc4yn070uXKyzua0MFDmDirBOfLA=; b=PHPd/czcaHgVCptpJ5xXM+LJ7oo2A2WG7gHj81ot0fWH3vymWCoOw26xL2R2Luo2Tc 3pdgbDXvZEulAWSeAxV19DDUN7VVIE/mwGV6wFYzRZFSINX8t8nNUs50NH/bATN9jQ2l FEeFqPqeplUZCPtAnTzbIIdLx1Vj/4nXPn+WzPrmlZCF/NXoiQNjaHTWZiCb1RrdLIA8 4JxN0SWZtraUUYrxfsKWYBjylT2v2crIYJgEozTGHLpR5olZNfYpiwXKWaCc205Tf/fM A5I+9QIIduF+g66KemXSsNrbICTnR3TxitgpuSkKKydgwZgpGffCMQt24y1WUoqpYhym ewxg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :x-gm-message-state; bh=ZvYfqm6ZZKiFNhyAc4yn070uXKyzua0MFDmDirBOfLA=; b=TS/F8rA8NJplFtXXmlJWY/V/fvTd0dQQSKACrO7qxzAOXsRiaIiRnUII4Lu3XlG2zx 7ZzEwljfgCC9YNQeIAMeUWbqWc6vHhpFpSKW5stqmXEgusWtwLxyS3vHcm8v7gi9qs4F 9WvJcjEf7gF14EEDjDUvbSL1BxI4utQdxdT2wrDGAzib+z5LD6Xv5yw9VW5zmEBe+ZWE giVAmXje3sbFLjUBD0HrABpY1FLz9jTsfBuW/I/JzRFrNEjlgnz25/zJUl+K4YBdEePp S/TkC0R8EZAsp3wPdFO0UF7iE0gkZ0a1DMw2v++GDlzq4Hx5X2juXv6OqTKesqRDoJSr gvaw==
MIME-Version: 1.0
Received: by 10.50.0.204 with SMTP id 12mr838133igg.54.1352933499783; Wed, 14 Nov 2012 14:51:39 -0800 (PST)
Sender: agl@google.com
Received: by 10.231.85.9 with HTTP; Wed, 14 Nov 2012 14:51:39 -0800 (PST)
In-Reply-To: <f5178418cb4549fea8e210d6a3bc22d1@BN1PR03MB072.namprd03.prod.outlook.com>
References: <CAL9PXLy31VzxLidgOy64MnDAyRE=HU=hxyBXW1rgB+Xnd0vKjA@mail.gmail.com> <4F981528.9010903@gnutls.org> <CAL9PXLzWNTxOjRnVPk67anfAkWizagcAsWRWJM3ShY6oWv9PjA@mail.gmail.com> <4F985162.7040405@extendedsubset.com> <f5178418cb4549fea8e210d6a3bc22d1@BN1PR03MB072.namprd03.prod.outlook.com>
Date: Wed, 14 Nov 2012 17:51:39 -0500
X-Google-Sender-Auth: 2Jpvbs1PRoA8vohEmbFsk6FynT4
Message-ID: <CAL9PXLx4Qc_zjDWC2z_Gg-XAZ_VVNtBun9SpHFWe6Fgs=cpYiw@mail.gmail.com>
From: Adam Langley <agl@chromium.org>
To: Andrei Popov <Andrei.Popov@microsoft.com>
Content-Type: text/plain; charset="UTF-8"
X-Gm-Message-State: ALoCoQkDC3F+YZ5sg3zM9TZCTVMT5n0iYhX/J6O+544v17xF5wqtWHxwZk3Hl3ZQNyVaMUlU3AIMTYYWEoT2ogXXO2NC98npaSu0JENbhefwX4WTLxZJRBQXQaQOnzBOguTTNjyhgwEZ/hSwQo0d+/VY6NgTKOkWTjk3Rwfe3LwZvH27qfF9UU/G/cg2fV8O7LYxx5A1OTzT
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Next Protocol Negotiation 03
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Nov 2012 22:51:41 -0000

On Wed, Nov 14, 2012 at 3:31 PM, Andrei Popov
<Andrei.Popov@microsoft.com> wrote:
> A number of issues have been raised with regard to the TLS NPN Internet-Draft, including the downgrade attack described by Marsh. Is an updated draft in the works?

I've nothing to add to -04 at the moment.

I'm afraid you'll have to highlight the attack that you're referring
to. Since the messages are covered by the Finished hash, there's no
downgrade attack that doesn't also work against anything else in the
handshake.

The major point of contention that I'm aware of is the addition of
encrypted extensions, rather than just negotiating in the client and
server hello messages, in the clear.

This is clearly additional complexity and the benefit is limited by
the fact that the server still advertises in the clear. It's the best
that can be done without adding additional round trips.

On the complexity side, there haven't been any significant issues with
implementations of the similar version of NPN that's currently used by
SPDY, except in the case of one hardware accelerator product who had
issues. They, however, appear to have figured it out.

On the benefits side, although having the server advertise in the
clear is unfortunate, that's only needed for supporting client
fallback. If the client knows what protocol it supports, it can simply
choose it and that choice is protected. Since we're in this position
partly because TCP port numbers have become unusable, it seems to be
the height of folly to create another cleartext selector and expect a
different result.

So those reasons, I believe that the current NPN design is the correct one.


Cheers

AGL

v2.23.0 | Report a Bug | By Email