Re: [TLS] A new consensus call on ALPN vs NPN (was ALPN concerns)
Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 11 December 2013 14:41 UTC
Return-Path: <dkg@fifthhorseman.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C23D41ADF87 for <tls@ietfa.amsl.com>; Wed, 11 Dec 2013 06:41:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IGYvKoGLt0qo for <tls@ietfa.amsl.com>; Wed, 11 Dec 2013 06:41:54 -0800 (PST)
Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) by ietfa.amsl.com (Postfix) with ESMTP id C2AD51ADF70 for <tls@ietf.org>; Wed, 11 Dec 2013 06:41:54 -0800 (PST)
Received: from fifthhorseman.net (dsl254-070-154.nyc1.dsl.speakeasy.net [216.254.70.154]) by che.mayfirst.org (Postfix) with ESMTPSA id E7F90F985 for <tls@ietf.org>; Wed, 11 Dec 2013 09:41:47 -0500 (EST)
Received: by fifthhorseman.net (Postfix, from userid 1000) id 46B891FF62; Tue, 10 Dec 2013 15:44:29 -0800 (PST)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: IETF TLS Working Group <tls@ietf.org>
In-Reply-To: <52A7935E.5020906@cs.tcd.ie>
References: <CAFewVt7SS9ud8J=6VtR-Zv-9bhaTHEnjT8XD+ULaRSVUkYftaQ@mail.gmail.com> <52A77DB4.7020501@gmx.net> <52A7935E.5020906@cs.tcd.ie>
User-Agent: Notmuch/0.16 (http://notmuchmail.org) Emacs/24.3.1 (x86_64-pc-linux-gnu)
Date: Tue, 10 Dec 2013 18:44:22 -0500
Message-ID: <87ob4o1dbd.fsf@alice.fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Subject: Re: [TLS] A new consensus call on ALPN vs NPN (was ALPN concerns)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Dec 2013 14:41:57 -0000
On Tue 2013-12-10 17:19:10 -0500, Stephen Farrell wrote: > FWIW, I agree with you in general, but in this case the privacy > leak is non-existent if its only HTTP/1.1 vs HTTP/2.0 - since > the binary encoding and lack of head-of-line blocking in the > latter will give that game away anyway. i don't think i understand this argument. are you saying that traffic analysis will disclose what protocol is in use in this case? if so, that's still a win; we've forced a passive attacker to move from trivial byte-string matching to traffic analysis, which is more complex and less certain. And we can further complicate traffic analysis with other approaches like Pironti's length hiding: http://tools.ietf.org/html/draft-pironti-tls-length-hiding-00 And protocol negotiation is not only useful in the HTTP/1.1→HTTP/2.0 use case. > I'd say focusing on tls1.3 and any privacy gains there is better > than diverting effort to NPN to be honest. The concern raised by Brian Smith is that if TLS 1.3 is an upgrade to TLS 1.2 with cleartext ALPN, based on how we understand negotiated TLS today, then compliant clients may have a strong incentive to continue to send cleartext ALPN, so that they can negotiate with servers not yet capable of TLS 1.3. If we settle on ALPN now, the information in ALPN seems likely to remain in the clear for lots of handshakes even after TLS 1.3 is widely deployed. If one of the goals of TLS 1.3 is encrypting as much of the handshake as possible (which i think it should be), then standardizing ALPN now seems to work against the goals of TLS 1.3 more strongly than any diversion of effort related to NPN. --dkg
- [TLS] A new consensus call on ALPN vs NPN (was AL… Brian Smith
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Hannes Tschofenig
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Tom Ritter
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Stephen Farrell
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Eric Rescorla
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Daniel Kahn Gillmor
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Stephen Farrell
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Brian Smith
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Yoav Nir
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Bill Frantz
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Daniel Kahn Gillmor
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Yoav Nir
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Brian Smith
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Watson Ladd
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Brian Smith
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Brian Smith
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Wan-Teh Chang
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Paul Hoffman
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Watson Ladd
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Eric Rescorla
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Ralf Skyper Kaiser
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Yoav Nir
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Nikos Mavrogiannopoulos
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Alyssa Rowan
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Stephan Friedl (sfriedl)
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Bill Frantz