Re: [TLS] A new consensus call on ALPN vs NPN (was ALPN concerns)

[Daniel Kahn Gillmor <dkg@fifthhorseman.net>]

On Tue 2013-12-10 17:19:10 -0500, Stephen Farrell wrote:
> FWIW, I agree with you in general, but in this case the privacy
> leak is non-existent if its only HTTP/1.1 vs HTTP/2.0 - since
> the binary encoding and lack of head-of-line blocking in the
> latter will give that game away anyway.

i don't think i understand this argument.  are you saying that traffic
analysis will disclose what protocol is in use in this case?

if so, that's still a win; we've forced a passive attacker to move from
trivial byte-string matching to traffic analysis, which is more complex
and less certain.  And we can further complicate traffic analysis with
other approaches like Pironti's length hiding:

  http://tools.ietf.org/html/draft-pironti-tls-length-hiding-00

And protocol negotiation is not only useful in the HTTP/1.1→HTTP/2.0 use
case.

> I'd say focusing on tls1.3 and any privacy gains there is better
> than diverting effort to NPN to be honest.

The concern raised by Brian Smith is that if TLS 1.3 is an upgrade to
TLS 1.2 with cleartext ALPN, based on how we understand negotiated TLS
today, then compliant clients may have a strong incentive to continue to
send cleartext ALPN, so that they can negotiate with servers not yet
capable of TLS 1.3.

If we settle on ALPN now, the information in ALPN seems likely to remain
in the clear for lots of handshakes even after TLS 1.3 is widely
deployed.  If one of the goals of TLS 1.3 is encrypting as much of the
handshake as possible (which i think it should be), then standardizing
ALPN now seems to work against the goals of TLS 1.3 more strongly than
any diversion of effort related to NPN.

        --dkg