Re: [TLS] Next protocol negotiation

Marsh Ray <marsh@extendedsubset.com> Wed, 20 January 2010 16:26 UTC

Return-Path: <marsh@extendedsubset.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CA2DB3A6878 for <tls@core3.amsl.com>; Wed, 20 Jan 2010 08:26:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.566
X-Spam-Level:
X-Spam-Status: No, score=-2.566 tagged_above=-999 required=5 tests=[AWL=0.033, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ebt2YcKDFH4R for <tls@core3.amsl.com>; Wed, 20 Jan 2010 08:26:29 -0800 (PST)
Received: from mho-02-ewr.mailhop.org (mho-02-ewr.mailhop.org [204.13.248.72]) by core3.amsl.com (Postfix) with ESMTP id EA90D3A67D7 for <tls@ietf.org>; Wed, 20 Jan 2010 08:26:28 -0800 (PST)
Received: from xs01.extendedsubset.com ([69.164.193.58]) by mho-02-ewr.mailhop.org with esmtpa (Exim 4.68) (envelope-from <marsh@extendedsubset.com>) id 1NXdNp-000Ehe-0y; Wed, 20 Jan 2010 16:26:17 +0000
Received: from [127.0.0.1] (localhost [127.0.0.1]) by xs01.extendedsubset.com (Postfix) with ESMTP id 56ABE631F; Wed, 20 Jan 2010 16:26:15 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Originating-IP: 69.164.193.58
X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/mailhop/outbound_abuse.html for abuse reporting information)
X-MHO-User: U2FsdGVkX182VroPBrBVpkWV9ZqV8XX+Q/MWa6hL6Bc=
Message-ID: <4B572EA6.8040902@extendedsubset.com>
Date: Wed, 20 Jan 2010 10:26:14 -0600
From: Marsh Ray <marsh@extendedsubset.com>
User-Agent: Thunderbird 2.0.0.23 (Windows/20090812)
MIME-Version: 1.0
To: Adam Langley <agl@google.com>
References: <a84d7bc61001200520t4e3be7d4sb0bb614abb0b5e4e@mail.gmail.com> <c331d99a1001200646o55d7d2f6wfaad058b84e6024e@mail.gmail.com> <a84d7bc61001200705v39b37ba3qaea1ca4149afb0a0@mail.gmail.com> <4B5723A5.8050508@gnutls.org> <a84d7bc61001200757p30ffded4y8b0f34b157fa4dc4@mail.gmail.com>
In-Reply-To: <a84d7bc61001200757p30ffded4y8b0f34b157fa4dc4@mail.gmail.com>
X-Enigmail-Version: 0.96.0
OpenPGP: id=1E36DBF2
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Cc: tls@ietf.org
Subject: Re: [TLS] Next protocol negotiation
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Jan 2010 16:26:29 -0000

Adam Langley wrote:
> On Wed, Jan 20, 2010 at 7:39 AM, Nikos Mavrogiannopoulos
> <nmav@gnutls.org> wrote:
>> Ok now I see your point. However I still suggest solving issues at the
>> appropriate layer, even that has some performance cost.
> 
> The appropriate layer for protocol disambiguation is TCP.
> Unfortunately, this mechanism has stopped functioning for practical
> purposes and we're aware that we aren't the only group facing this
> problem.

One point of view is that firewall admins are ports because of their
intentional policies and it is their right to control what goes on on
their own network. Port 443 is going to be less useful over time as more
sites deploy SSL-inspecting proxies.

I don't particularly like that point of view, but it does seem to be the
reality. So we have a situation where people desiring to make a new
simple, secure protocol have to smuggle their traffic (even outbound
connections) like some kind of malware.

Once we're honest about what we're doing, other options might be available:

Port 443 to a proxy server with the CONNECT verb usually works.

It is rumored that many firewalls will pass anything over port 53.

On many corporate Windows PCs, the 'proxy server' info available in the
registry is the only reliable way to make outbound connections.

> Burning an additional round trip on protocol discovery is unacceptable
> for us[1]. 200ms is a good round-trip time on a 3G network and the
> nature of web content means that progressive discovery of additional
> resources amplifies this delay.
> 
> Also, consider that without a suitable mechanism, we might be
> condemning future protocols to forever limiting their initial
> handshake to something that is HTTP compatible.

You might also be able to use HTTPS to tunnel to an appropriate proxy.

> We (Google) don't mind
> putting in the work to make more fundamental changes but others,
> perhaps, would choose not to for reasons of expediency, and would pay
> this technical debt forever more.
> 
> [1] http://googleblog.blogspot.com/2009/06/lets-make-web-faster.html

Thank you guys for caring about 200ms of my finite lifetime.

- Marsh