Re: [TLS] A new consensus call on ALPN vs NPN (was ALPN concerns)
Stephen Farrell <stephen.farrell@cs.tcd.ie> Wed, 11 December 2013 15:04 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6943D1ADF82 for <tls@ietfa.amsl.com>; Wed, 11 Dec 2013 07:04:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dzIlELP8PZff for <tls@ietfa.amsl.com>; Wed, 11 Dec 2013 07:04:40 -0800 (PST)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) by ietfa.amsl.com (Postfix) with ESMTP id E60E21ADED6 for <tls@ietf.org>; Wed, 11 Dec 2013 07:04:39 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id D13DFBE63; Wed, 11 Dec 2013 15:04:33 +0000 (GMT)
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 878eCD287L5W; Wed, 11 Dec 2013 15:04:33 +0000 (GMT)
Received: from [134.226.36.180] (stephen-think.dsg.cs.tcd.ie [134.226.36.180]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id F21A1BE88; Wed, 11 Dec 2013 15:04:32 +0000 (GMT)
Message-ID: <52A87F00.7000304@cs.tcd.ie>
Date: Wed, 11 Dec 2013 15:04:32 +0000
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.1.1
MIME-Version: 1.0
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, IETF TLS Working Group <tls@ietf.org>
References: <CAFewVt7SS9ud8J=6VtR-Zv-9bhaTHEnjT8XD+ULaRSVUkYftaQ@mail.gmail.com> <52A77DB4.7020501@gmx.net> <52A7935E.5020906@cs.tcd.ie> <87ob4o1dbd.fsf@alice.fifthhorseman.net>
In-Reply-To: <87ob4o1dbd.fsf@alice.fifthhorseman.net>
X-Enigmail-Version: 1.6
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Subject: Re: [TLS] A new consensus call on ALPN vs NPN (was ALPN concerns)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Dec 2013 15:04:43 -0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/10/2013 11:44 PM, Daniel Kahn Gillmor wrote: > On Tue 2013-12-10 17:19:10 -0500, Stephen Farrell wrote: >> FWIW, I agree with you in general, but in this case the privacy >> leak is non-existent if its only HTTP/1.1 vs HTTP/2.0 - since the >> binary encoding and lack of head-of-line blocking in the latter >> will give that game away anyway. > > i don't think i understand this argument. are you saying that > traffic analysis will disclose what protocol is in use in this > case? I believe so, esp since there's just http/1.1 and http/2.0 in question (well, maybe spdy too for some time). If hiding that somewhat is the claimed benefit and if that diverted scarce WG resources away from tls1.3 then I figure doing the work in tls1.3 is better. > if so, that's still a win; we've forced a passive attacker to move > from trivial byte-string matching to traffic analysis, which is > more complex and less certain. If we're only dealing with the above protocols, then I don't think it'd be at all hard to distinguish 'em. > And we can further complicate traffic analysis with other > approaches like Pironti's length hiding: > > http://tools.ietf.org/html/draft-pironti-tls-length-hiding-00 I really like the idea of meeting that requirement. But again it seems to me like it'd be better baked into tls1.3 and not done as an extension to tls1.2 or earlier. My reasoning there assumes that we figure tls1.3 will be widely deployed more quickly than previous updates due to the collective win of running http/2.0 over tls1.3. Doing a lot of things in both tls1.3 and as extensions to earlier versions also seems less likely to work out, given that we all have limited cycles. But yes, that's prediction with which one could disagree. > And protocol negotiation is not only useful in the > HTTP/1.1?HTTP/2.0 use case. > >> I'd say focusing on tls1.3 and any privacy gains there is better >> than diverting effort to NPN to be honest. > > The concern raised by Brian Smith is that if TLS 1.3 is an upgrade > to TLS 1.2 with cleartext ALPN, based on how we understand > negotiated TLS today, then compliant clients may have a strong > incentive to continue to send cleartext ALPN, so that they can > negotiate with servers not yet capable of TLS 1.3. Yep, that is a good question to consider. I don't think I've seen it addressed either, but maybe I missed that. > If we settle on ALPN now, the information in ALPN seems likely to > remain in the clear for lots of handshakes even after TLS 1.3 is > widely deployed. If one of the goals of TLS 1.3 is encrypting as > much of the handshake as possible (which i think it should be), > then standardizing ALPN now seems to work against the goals of TLS > 1.3 more strongly than any diversion of effort related to NPN. Depends on what ALPN values would be present in a case where tls1.3 and http/2.0 are supported. I don't know what'd be likely there. S. > > --dkg > > > > _______________________________________________ TLS mailing list > TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) iQEcBAEBAgAGBQJSqH77AAoJEC88hzaAX42illgIAJltllnhLB3xGbHF/l6ul3nU Mzd8kvF9W27zRoGg0L1noxfQEawGyOjfRFxGXVO3BYHvXMSIfpAOC5vKWPnY/Hlc T2ZkklFk9bTq/b7PIJlmSlPTPqBBUCHlZkxxzlO5GeGwjXahOS7M+kc20/ufMHKG UGScMtzV5cx3fDQBAPBXjU5w9WHNz0LnLrti9q682g11a4nyRNKvPuaa8ujr4Ona dDtGKIk6ITr6DthO5IrhTEdRpR9/AgpR8WrXslMTKldELw6Inf4dBKOOkOJtnptA OTbtozBtlyvMQCHSxoVEb0FS5AgXFvTVL9t3SY/1BcYmzvbjvYl/XP1kNI8VTS4= =JATC -----END PGP SIGNATURE-----
- [TLS] A new consensus call on ALPN vs NPN (was AL… Brian Smith
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Hannes Tschofenig
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Tom Ritter
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Stephen Farrell
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Eric Rescorla
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Daniel Kahn Gillmor
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Stephen Farrell
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Brian Smith
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Yoav Nir
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Bill Frantz
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Daniel Kahn Gillmor
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Yoav Nir
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Brian Smith
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Watson Ladd
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Brian Smith
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Brian Smith
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Wan-Teh Chang
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Paul Hoffman
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Watson Ladd
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Eric Rescorla
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Ralf Skyper Kaiser
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Yoav Nir
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Nikos Mavrogiannopoulos
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Alyssa Rowan
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Stephan Friedl (sfriedl)
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Bill Frantz