Re: [TLS] Request for review: Next Protocol Negotiation Extension
Nathaniel W Filardo <nwf@cs.jhu.edu> Wed, 18 August 2010 20:47 UTC
Return-Path: <nwf@cs.jhu.edu>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 103933A67FB for <tls@core3.amsl.com>; Wed, 18 Aug 2010 13:47:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0vrWM8D10GPk for <tls@core3.amsl.com>; Wed, 18 Aug 2010 13:47:25 -0700 (PDT)
Received: from blaze.cs.jhu.edu (blaze.cs.jhu.edu [128.220.13.50]) by core3.amsl.com (Postfix) with ESMTP id C4EB63A6405 for <tls@ietf.org>; Wed, 18 Aug 2010 13:47:25 -0700 (PDT)
Received: from gradx.cs.jhu.edu (gradx.cs.jhu.edu [128.220.13.52]) by blaze.cs.jhu.edu (8.14.3/8.14.3) with ESMTP id o7IKludw023727 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 18 Aug 2010 16:47:56 -0400 (EDT)
Received: from gradx.cs.jhu.edu (localhost [127.0.0.1]) by gradx.cs.jhu.edu (8.14.3/8.13.1) with ESMTP id o7IKlumR023645; Wed, 18 Aug 2010 16:47:56 -0400
Received: (from nwf@localhost) by gradx.cs.jhu.edu (8.14.3/8.13.8/Submit) id o7IKluLW023644; Wed, 18 Aug 2010 16:47:56 -0400
Date: Wed, 18 Aug 2010 16:47:56 -0400
From: Nathaniel W Filardo <nwf@cs.jhu.edu>
To: Adam Langley <agl@google.com>
Message-ID: <20100818204756.GT18003@gradx.cs.jhu.edu>
References: <AANLkTimgjqQMdwqL_xZXGSG5hSMLqDtYH62t698e_hx9@mail.gmail.com> <4C6AD7EA.4040307@extendedsubset.com> <000401cb3e4f$456f6d60$d04e4820$@briansmith.org> <4C6B1BAA.5060303@pobox.com> <AANLkTi=QzEmzuhX=rKkTFjVvWxP5r_0zcVHq00L-4JoS@mail.gmail.com> <4C6B8189.5080406@extendedsubset.com> <AANLkTi=9TLG4f5eZ6h6duYKvcVueT53H26WNZpWV6TKS@mail.gmail.com> <4C6C01BE.8080009@extendedsubset.com> <AANLkTi=ym+Akh3ExvC48=Rce==Y2Hn96u0pPOnG=u56q@mail.gmail.com> <AANLkTikEv_AYJqUVjeUM9HTcw0Kpy5vH1M_va60JRywp@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="TjrdA9oBG3OWww3L"
Content-Disposition: inline
In-Reply-To: <AANLkTikEv_AYJqUVjeUM9HTcw0Kpy5vH1M_va60JRywp@mail.gmail.com>
User-Agent: Mutt/1.5.20 (2009-08-17)
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Request for review: Next Protocol Negotiation Extension
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Aug 2010 20:47:27 -0000
On Wed, Aug 18, 2010 at 02:29:02PM -0400, Adam Langley wrote: >[snip] > 1. Introduction > > As the Internet has evolved, it has become commonplace for hosts to > initiate connections based on untrusted and possibly hostile data. > HTTP [RFC2616] clients are currently the most widespread example of > this as they will fetch URLs based on the contents of untrusted > webpages. > > Any time that a connection is initiated based on untrusted data there > is the possibility of a cross-protocol attack. If the attacker can > control the contents of the connection in any way (for example, the > requested URL in an HTTP connection) they may be able to encode a > valid message in another protocol. The connecting host believes that > it is speaking one protocol but the server understands it to be > another. The application of Postel's Law exacerbates the issue as > many servers will permit gross violations of the expected protocol in > order to achieve maximum compatibility with clients. > > The WebSockets [websockets] protocol seeks to allow low-latency, > full-duplex communication between browsers and HTTP servers. However, > it also permits an unprecedented amount of attacker control over the > contents of the connection. In order to prevent cross- protocol > attacks, a mechanism to assure that both client and server are > speaking the same protocol is required. To this end, Next Protocol > Negotiation extends the TLS [RFC5246] handshake to permit both parties > to agree on their intended protocol. I realize this is the TLS mailing list, but... WebSockets are, AFAIK, designed to have a mandatory HTTP-alike header specifically so that they can be discriminated from HTTP without requiring any lower level identification being necessary (though apparently the drafts of the WS specification are less than perfect about maintaining this guarantee). In any case, this ought to render any concerns of being unable to make WS connections while still making HTTPS connections moot; they can _already_ be intermixed on port 443. Moreover, cross-protocol attacks do not require the advanced control present in WS (though surely it helps); HTTP has proven to be sufficiently useful to carry out cross-protocol attacks against both SMTP and IRC servers. It seems odd to me that secure WS is the forcing issue here. It also seems very odd to me that this is being viewed as a TLS-only thing. Cross-protocol attacks are not limited to the world of secured TLS streams (see above), and TCP ports are not in fact protocol identifiers, despite some traditions that conflate the two concepts. If cross-protocol attacks are a concern (and I'm not saying they're not), then TLS NPN is necessary but insufficient -- the outer layers and insecure links must also be protected. Further, protocols inside TLS are already implicitly weakly protected if the endpoints require authentication. There isn't any way that my web browser can carry out an HTTPS cross-protocol attack against an SMTPS server, unless the attacker already knows the appropriate SMTP credentials or I have client certs accepted by the SMTPS server loaded in my browser. Any attempt the browser makes at authenticating via HTTP mechanisms is going to be ignored by the SMTPS server. If I require STARTTLS for SMTP, I'm in an even better position than if I were using just SMTPS, as the client cert issue is gone. (Would that the HTTP world actually believed in Upgrade: for starting TLS!) Are there, in fact, attempts to mark sender's intended protocol outside of TLS being concurrently worked on (perhaps by extending the use of IPv6's Next Header field across the TCP header)? If not, why should we believe that standardization and adoption of a TLS-only NPN will help much at all? Thanks. --nwf;
- [TLS] Request for review: Next Protocol Negotiati… Adam Barth
- Re: [TLS] Request for review: Next Protocol Negot… Eric Rescorla
- Re: [TLS] Request for review: Next Protocol Negot… Adam Langley
- Re: [TLS] Request for review: Next Protocol Negot… Michael D'Errico
- Re: [TLS] Request for review: Next Protocol Negot… Adam Langley
- Re: [TLS] Request for review: Next Protocol Negot… Brian Smith
- Re: [TLS] Request for review: Next Protocol Negot… Michael D'Errico
- Re: [TLS] Request for review: Next Protocol Negot… Marsh Ray
- Re: [TLS] Request for review: Next Protocol Negot… Peter Sylvester
- Re: [TLS] Request for review: Next Protocol Negot… Brian Smith
- Re: [TLS] Request for review: Next Protocol Negot… Nikos Mavrogiannopoulos
- Re: [TLS] Request for review: Next Protocol Negot… Adam Langley
- Re: [TLS] Request for review: Next Protocol Negot… Adam Langley
- Re: [TLS] Request for review: Next Protocol Negot… Brian Smith
- Re: [TLS] Request for review: Next Protocol Negot… Brian Smith
- Re: [TLS] Request for review: Next Protocol Negot… Adam Langley
- Re: [TLS] Request for review: Next Protocol Negot… Adam Barth
- Re: [TLS] Request for review: Next Protocol Negot… Martin Rex
- Re: [TLS] Request for review: Next Protocol Negot… Michael D'Errico
- Re: [TLS] Request for review: Next Protocol Negot… Steingruebl, Andy
- Re: [TLS] Request for review: Next Protocol Negot… Eric Rescorla
- Re: [TLS] Request for review: Next Protocol Negot… Michael D'Errico
- Re: [TLS] Request for review: Next Protocol Negot… Geoffrey Keating
- Re: [TLS] Request for review: Next Protocol Negot… Martin Rex
- Re: [TLS] Request for review: Next Protocol Negot… Nikos Mavrogiannopoulos
- Re: [TLS] Request for review: Next Protocol Negot… Marsh Ray
- Re: [TLS] Request for review: Next Protocol Negot… Adam Barth
- Re: [TLS] Request for review: Next Protocol Negot… Brian Smith
- Re: [TLS] Request for review: Next Protocol Negot… Marsh Ray
- Re: [TLS] Request for review: Next Protocol Negot… Adam Langley
- Re: [TLS] Request for review: Next Protocol Negot… Marsh Ray
- Re: [TLS] Request for review: Next Protocol Negot… Brian Smith
- Re: [TLS] Request for review: Next Protocol Negot… Michael D'Errico
- Re: [TLS] Request for review: Next Protocol Negot… Marsh Ray
- Re: [TLS] Request for review: Next Protocol Negot… Adam Barth
- Re: [TLS] Request for review: Next Protocol Negot… Michael D'Errico
- Re: [TLS] Request for review: Next Protocol Negot… Adam Barth
- Re: [TLS] Request for review: Next Protocol Negot… Marsh Ray
- Re: [TLS] Request for review: Next Protocol Negot… Adam Barth
- Re: [TLS] Request for review: Next Protocol Negot… Juho Vähä-Herttua
- Re: [TLS] Request for review: Next Protocol Negot… Brian Smith
- Re: [TLS] Request for review: Next Protocol Negot… Marsh Ray
- Re: [TLS] Request for review: Next Protocol Negot… Adam Langley
- Re: [TLS] Request for review: Next Protocol Negot… Adam Langley
- Re: [TLS] Request for review: Next Protocol Negot… Michael D'Errico
- Re: [TLS] Request for review: Next Protocol Negot… Adam Langley
- Re: [TLS] Request for review: Next Protocol Negot… Michael D'Errico
- Re: [TLS] Request for review: Next Protocol Negot… Adam Langley
- Re: [TLS] Request for review: Next Protocol Negot… Michael D'Errico
- Re: [TLS] Request for review: Next Protocol Negot… Nathaniel W Filardo
- Re: [TLS] Request for review: Next Protocol Negot… Marsh Ray
- Re: [TLS] Request for review: Next Protocol Negot… Adam Barth
- Re: [TLS] Request for review: Next Protocol Negot… Michael D'Errico
- Re: [TLS] Request for review: Next Protocol Negot… Marsh Ray
- Re: [TLS] Request for review: Next Protocol Negot… Nathaniel W Filardo
- Re: [TLS] Request for review: Next Protocol Negot… Martin Rex
- Re: [TLS] Request for review: Next Protocol Negot… Peter Gutmann
- Re: [TLS] Request for review: Next Protocol Negot… Marsh Ray
- Re: [TLS] Request for review: Next Protocol Negot… Martin Rex
- Re: [TLS] Request for review: Next Protocol Negot… Marsh Ray
- Re: [TLS] Request for review: Next Protocol Negot… Michael D'Errico