IETF Logo Mail Archive

Re: [TLS] Request for review: Next Protocol Negotiation Extension

Adam Langley <agl@google.com> Wed, 18 August 2010 18:28 UTC

Return-Path: <agl@google.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A9A1C3A69F0 for <tls@core3.amsl.com>; Wed, 18 Aug 2010 11:28:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -104.977
X-Spam-Level:
X-Spam-Status: No, score=-104.977 tagged_above=-999 required=5 tests=[AWL=1.000, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gUryDqX-W8RT for <tls@core3.amsl.com>; Wed, 18 Aug 2010 11:28:30 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [74.125.121.35]) by core3.amsl.com (Postfix) with ESMTP id 6C6D33A69F2 for <tls@ietf.org>; Wed, 18 Aug 2010 11:28:30 -0700 (PDT)
Received: from hpaq6.eem.corp.google.com (hpaq6.eem.corp.google.com [172.25.149.6]) by smtp-out.google.com with ESMTP id o7IIT4oV008784 for <tls@ietf.org>; Wed, 18 Aug 2010 11:29:04 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1282156145; bh=aGUEYsP0lN2ap/2qgenbGz0LRjU=; h=MIME-Version:In-Reply-To:References:Date:Message-ID:Subject:From: To:Cc:Content-Type; b=GOPwpMW87LhnRXWRM66CK22HV+lgMUhL/GQGFwIt+3eZqtpsJOGSUF/D0uNwJtjEO Sm4TLdlATmN3ujUByJjLw==
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=mime-version:in-reply-to:references:date:message-id:subject:from:to: cc:content-type:x-system-of-record; b=ZKYG9CdiIShvNVZjAzgHwSdJZ7oq9tCVWrDe1zfR5YnP7zLlws22LCqKXtbDtvJ/w f/kI3ehEFOESLahvJZqnA==
Received: from gwaa20 (gwaa20.prod.google.com [10.200.27.20]) by hpaq6.eem.corp.google.com with ESMTP id o7IIT3wA024448 for <tls@ietf.org>; Wed, 18 Aug 2010 11:29:03 -0700
Received: by gwaa20 with SMTP id a20so434193gwa.37 for <tls@ietf.org>; Wed, 18 Aug 2010 11:29:03 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.151.49.8 with SMTP id b8mr632858ybk.439.1282156142344; Wed, 18 Aug 2010 11:29:02 -0700 (PDT)
Received: by 10.231.142.32 with HTTP; Wed, 18 Aug 2010 11:29:02 -0700 (PDT)
In-Reply-To: <AANLkTi=ym+Akh3ExvC48=Rce==Y2Hn96u0pPOnG=u56q@mail.gmail.com>
References: <AANLkTi=5H_0hGzxMmfNU0hLS=5psW6J3c2to756OT--7@mail.gmail.com> <4C69938A.9080808@gnutls.org> <AANLkTin3eQHNJPuVuVw09FbPUF4RBk7n9RFbc7EaFbM+@mail.gmail.com> <AANLkTi=dfCZNndm678OFkCZdzRhzfmRvBmZVLUD5-ueF@mail.gmail.com> <4C6AB936.1070801@extendedsubset.com> <AANLkTimgjqQMdwqL_xZXGSG5hSMLqDtYH62t698e_hx9@mail.gmail.com> <4C6AD7EA.4040307@extendedsubset.com> <000401cb3e4f$456f6d60$d04e4820$@briansmith.org> <4C6B1BAA.5060303@pobox.com> <AANLkTi=QzEmzuhX=rKkTFjVvWxP5r_0zcVHq00L-4JoS@mail.gmail.com> <4C6B8189.5080406@extendedsubset.com> <AANLkTi=9TLG4f5eZ6h6duYKvcVueT53H26WNZpWV6TKS@mail.gmail.com> <4C6C01BE.8080009@extendedsubset.com> <AANLkTi=ym+Akh3ExvC48=Rce==Y2Hn96u0pPOnG=u56q@mail.gmail.com>
Date: Wed, 18 Aug 2010 14:29:02 -0400
Message-ID: <AANLkTikEv_AYJqUVjeUM9HTcw0Kpy5vH1M_va60JRywp@mail.gmail.com>
From: Adam Langley <agl@google.com>
To: Marsh Ray <marsh@extendedsubset.com>
Content-Type: text/plain; charset="UTF-8"
X-System-Of-Record: true
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Request for review: Next Protocol Negotiation Extension
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Aug 2010 18:28:31 -0000

On Wed, Aug 18, 2010 at 12:13 PM, Adam Langley <agl@google.com> wrote:
> Indeed. Since the initial draft other uses of NPN have been found and
> are probably more compelling. I'm rewriting the motivation at the
> moment.

The draft has been so updated. The only changes are that the
introduction has been rewritten.

http://www.ietf.org/id/draft-agl-tls-nextprotoneg-01.txt


1. Introduction

As the Internet has evolved, it has become commonplace for hosts to
initiate connections based on untrusted and possibly hostile data.
HTTP [RFC2616] clients are currently the most widespread example of
this as they will fetch URLs based on the contents of untrusted
webpages.

Any time that a connection is initiated based on untrusted data there
is the possibility of a cross-protocol attack.  If the attacker can
control the contents of the connection in any way (for example, the
requested URL in an HTTP connection) they may be able to encode a
valid message in another protocol.  The connecting host believes that
it is speaking one protocol but the server understands it to be
another.  The application of Postel's Law exacerbates the issue as
many servers will permit gross violations of the expected protocol in
order to achieve maximum compatibility with clients.

The WebSockets [websockets] protocol seeks to allow low-latency,
full-duplex communication between browsers and HTTP servers.  However,
it also permits an unprecedented amount of attacker control over the
contents of the connection.  In order to prevent cross- protocol
attacks, a mechanism to assure that both client and server are
speaking the same protocol is required.  To this end, Next Protocol
Negotiation extends the TLS [RFC5246] handshake to permit both parties
to agree on their intended protocol.


AGL

v2.23.0 | Report a Bug | By Email