Re: [TLS] PR#1091: Changes to provide middlebox robustness

Yoav Nir <> Wed, 08 November 2017 06:50 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E2FC912ECA6 for <>; Tue, 7 Nov 2017 22:50:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id QdlOVm81Km28 for <>; Tue, 7 Nov 2017 22:50:36 -0800 (PST)
Received: from ( [IPv6:2a00:1450:400c:c0c::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 63CD612EC9A for <>; Tue, 7 Nov 2017 22:50:36 -0800 (PST)
Received: by with SMTP id p96so1424031wrb.7 for <>; Tue, 07 Nov 2017 22:50:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=+X/PK5f5RalOHIaPUtBFeSHqpSu/Vm93NK+6HlWtgzM=; b=rfy6dzC9EmX9DHpRI73WDJ/L8b+xTe1bOs4DVvuuKJs7pHuelzn+NMvVTkTOnlpBwY 0UU9FnVUh8xbgj49qDGKZ00E1Xtm+4mT9J5oUqwx2Svb0n31i5SdnrFMYJoW/1DFnJii FhVUy/z5xHnX4+C4ZVPpRZGkhMDGH1vZIGPemIOGcLiPMtDsZIEtbG52U3yAZuAgHVeK rC+MTA2jHjl1RSqGD5VWEveN+niBiReiiq1aI16M6uD8TSgJU+/C9ZCkqhl+2JSd+L/W SO3K01H8BVKiel3QJUggp/5rLSKyV3ze+pUsbCkaUh+ErQnWHJps7CP1vbmXSxrHVoKv cCuw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=+X/PK5f5RalOHIaPUtBFeSHqpSu/Vm93NK+6HlWtgzM=; b=Fmez9/64KlY+BySp1669AArXlBBohhFMNms3vS6ATrszl4gRy25z50z5TYD/rPX7eN c1IFW0gLxi0uz3jNyrmooCDkqqZrnJyGlYG8jLrj8ts86IjCG/WZNpswUWEpwwXnR2gr wqjQbFJx+8oDvi3D1NFA0ZEMtZmypbRIj5jnhnLpXevUbXr1R9MJ57iHKDTEa6qPVgb/ Yg+weLtVlSF5DWtL7IetaXQytNv4CIb+hghbFbVNVnaRUS1imJbBJykRY+O2/cNQB+CB k0WSxKwoV1L4i0CoJOJPrY1QRNdwOm/KdidvcxUn6BZFzs+U8XnGLRPyCI+qDr5pEWeB UxSA==
X-Gm-Message-State: AJaThX4vF1rZVwCkofJjO1VWsGq/A5xu5RspSDwBOVtG5GEH5zXWMQL1 1uAWFScyJ0SfqR8DhduWs+nOSF1A
X-Google-Smtp-Source: ABhQp+TJ8VPhhTUGeNcqyZpE9saBBNuEWMii2R8sS4wTqL0p8DFzA5+KdQdcvi+UJFm65Azyf+CnlA==
X-Received: by with SMTP id o1mr947767wrh.205.1510123834929; Tue, 07 Nov 2017 22:50:34 -0800 (PST)
Received: from [] ([]) by with ESMTPSA id m37sm3980741wrm.4.2017. (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 07 Nov 2017 22:50:34 -0800 (PST)
From: Yoav Nir <>
Message-Id: <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_1A5B0FFD-9B40-4AD7-BEA3-31480EA51859"
Mime-Version: 1.0 (Mac OS X Mail 11.1 \(3445.4.7\))
Date: Wed, 8 Nov 2017 08:50:31 +0200
In-Reply-To: <>
Cc: Eric Rescorla <>, "" <>
To: Rich Salz <>
References: <> <> <> <> <> <> <> <> <>
X-Mailer: Apple Mail (2.3445.4.7)
Archived-At: <>
Subject: Re: [TLS] PR#1091: Changes to provide middlebox robustness
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 08 Nov 2017 06:50:39 -0000

> On 8 Nov 2017, at 2:32, Salz, Rich <> wrote:
> ➢ Given that we're almost there, and that only really browsers are
>     asking for these hacks, and that even some of those were almost ready
>     to ship without these hacks, I don't think that this is entirely
>     unrealistic as an aspiration.
> The Internet is more than just a couple of browser executables.
> Does nobody think of the servers?
> I do, but I don't really see how they're relevant for this question. Don't the servers control the middleboxes they are behind?
> The smiley got lost.  But smiley isn’t quite the right emoticon either. 

Maybe we need a resigned to the harsh reality emoticon. Oh wait, there is one [1]

> But to answer your question: no, the often don’t.  And it’s not just the middleboxes they are behind, but all those along the way.

The server-side middleboxes tend to be somewhat higher quality and get more regular updates. There are also fewer vendors, so the problem is more manageable.

> To say that only browsers were asking for these hacks is also a little disingenuous.  It was a self-selected design group (to be charitable) that mostly worked by themselves without the whole WG being involved.  I’m glad we seem to be ending up with something that works, with the only thing being lost is some nerd esthetics, but let’s not forget the (to me, disappointing) way the whole thing went down: a collaboration among, and only among, Google, Mozilla, and Facebook.

Sure. Whatever applies to browsers applies to every app or library that uses a web service. So wget, cURL, any of the libraries for Java, whatever you call the libraries behind apps on the various mobile platforms.