IETF Logo Mail Archive

Re: [TLS] A new consensus call on ALPN vs NPN (was ALPN concerns)

Brian Smith <brian@briansmith.org> Wed, 11 December 2013 23:59 UTC

Return-Path: <brian@briansmith.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4FC181AE215 for <tls@ietfa.amsl.com>; Wed, 11 Dec 2013 15:59:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.979
X-Spam-Level:
X-Spam-Status: No, score=-1.979 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tDLq1xit0QUX for <tls@ietfa.amsl.com>; Wed, 11 Dec 2013 15:59:52 -0800 (PST)
Received: from mail-qc0-f180.google.com (mail-qc0-f180.google.com [209.85.216.180]) by ietfa.amsl.com (Postfix) with ESMTP id 9B2431AE210 for <tls@ietf.org>; Wed, 11 Dec 2013 15:59:52 -0800 (PST)
Received: by mail-qc0-f180.google.com with SMTP id w7so5636722qcr.39 for <tls@ietf.org>; Wed, 11 Dec 2013 15:59:46 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=t4jfD7L/oirEilt8h8rN/9N37tqqYQAglxB+uLLLmf8=; b=aGtiqefUEWfxwp8ZGPukSgc1ll5UzKly337TaiDuFYoUxO2RFODl29XJngV1Futyxj ZO/hUYoR5TiWPz5ZnnEQuGLEDYoGBxy4gwN4CEOn+3y5GKxU4teL+ygJaftX9q1vdikm ZRYRx2UZlMQh6Ykp86EJBjH2W0zjUZS9gK4Dk9SM5WaAftVscRpsQovAyBC3kRamUv8C PkSq2ZPM39UtcNJxmf2WRWOPC5aqiEeZD3gf7l7BHidRy7RBKGLrxfZt6vsdpSL5bAZ8 Dcw0hr5v8+4xmZTuwJRNZk/VCzNCGLPLDbsk1NCwhSVfsehC+iSsCxBhJoGVOW0wa3oz U+Hw==
X-Gm-Message-State: ALoCoQmmWNJFWND8aKaMAswmU/njMx6q0KpEIuZ2uRQvRCaTy6pAKPBtm/7wUlacbvJmv1BgYWpa
MIME-Version: 1.0
X-Received: by 10.224.25.196 with SMTP id a4mr511520qac.31.1386806386668; Wed, 11 Dec 2013 15:59:46 -0800 (PST)
Received: by 10.224.40.11 with HTTP; Wed, 11 Dec 2013 15:59:46 -0800 (PST)
X-Originating-IP: [63.245.219.54]
In-Reply-To: <r422Ps-1075i-15B42E388C15419DB07EA02DD7439CA7@Williams-MacBook-Pro.local>
References: <87ob4o1dbd.fsf@alice.fifthhorseman.net> <r422Ps-1075i-15B42E388C15419DB07EA02DD7439CA7@Williams-MacBook-Pro.local>
Date: Wed, 11 Dec 2013 15:59:46 -0800
Message-ID: <CAFewVt4mF_xztqANmC-EDQjnCFgTuNc3F_UHxcinPpPtSbPA_g@mail.gmail.com>
From: Brian Smith <brian@briansmith.org>
To: Bill Frantz <frantz@pwpconsult.com>
Content-Type: text/plain; charset="UTF-8"
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] A new consensus call on ALPN vs NPN (was ALPN concerns)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Dec 2013 23:59:54 -0000

On Wed, Dec 11, 2013 at 11:14 AM, Bill Frantz <frantz@pwpconsult.com> wrote:
> We should not insist that a client using the new protocol be able to connect
> of a tls 1.2 server (or below) as a result of tls level negotiation. The
> fallback mechanisms in most browsers can cover that need. The extra design
> freedom will allow us to easily encrypt data that was previously sent in the
> clear without worrying about backward compatibility.

I think us browser people might have unintentionally misled people
about our eagerness to reconnect with downgraded security properties.
I, and other browser people I know, consider it mis-feature, and we'd
love to find a way to stop doing it. So, trying to connect via "TLS
2.0" that has better security/privacy properties, and then insecurely
falling back to TLS 1.2 with worse security/privacy properties, is
something that I'd definitely want to avoid.

There may be cases where the
connect-and-then-reconnect-with-different-parameters approach becomes
useful, but the key there is "different" and not "worse."

Besides being an ineffective security/privacy measure (since any MitM
could induce the fallback to from "TLS 2.0" to TLS 1.2), it would also
be unacceptable due to the added latency for any site that hadn't
upgraded to "TLS 2.0." We are many years away from that becoming a
viable thing for us to do.

Cheers,
Brian
-- 
Mozilla Networking/Crypto/Security (Necko/NSS/PSM)

v2.23.0 | Report a Bug | By Email