Re: [TLS] Next protocol negotiation
Marsh Ray <marsh@extendedsubset.com> Wed, 20 January 2010 16:26 UTC
Return-Path: <marsh@extendedsubset.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CA2DB3A6878 for <tls@core3.amsl.com>; Wed, 20 Jan 2010 08:26:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.566
X-Spam-Level:
X-Spam-Status: No, score=-2.566 tagged_above=-999 required=5 tests=[AWL=0.033, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ebt2YcKDFH4R for <tls@core3.amsl.com>; Wed, 20 Jan 2010 08:26:29 -0800 (PST)
Received: from mho-02-ewr.mailhop.org (mho-02-ewr.mailhop.org [204.13.248.72]) by core3.amsl.com (Postfix) with ESMTP id EA90D3A67D7 for <tls@ietf.org>; Wed, 20 Jan 2010 08:26:28 -0800 (PST)
Received: from xs01.extendedsubset.com ([69.164.193.58]) by mho-02-ewr.mailhop.org with esmtpa (Exim 4.68) (envelope-from <marsh@extendedsubset.com>) id 1NXdNp-000Ehe-0y; Wed, 20 Jan 2010 16:26:17 +0000
Received: from [127.0.0.1] (localhost [127.0.0.1]) by xs01.extendedsubset.com (Postfix) with ESMTP id 56ABE631F; Wed, 20 Jan 2010 16:26:15 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Originating-IP: 69.164.193.58
X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/mailhop/outbound_abuse.html for abuse reporting information)
X-MHO-User: U2FsdGVkX182VroPBrBVpkWV9ZqV8XX+Q/MWa6hL6Bc=
Message-ID: <4B572EA6.8040902@extendedsubset.com>
Date: Wed, 20 Jan 2010 10:26:14 -0600
From: Marsh Ray <marsh@extendedsubset.com>
User-Agent: Thunderbird 2.0.0.23 (Windows/20090812)
MIME-Version: 1.0
To: Adam Langley <agl@google.com>
References: <a84d7bc61001200520t4e3be7d4sb0bb614abb0b5e4e@mail.gmail.com> <c331d99a1001200646o55d7d2f6wfaad058b84e6024e@mail.gmail.com> <a84d7bc61001200705v39b37ba3qaea1ca4149afb0a0@mail.gmail.com> <4B5723A5.8050508@gnutls.org> <a84d7bc61001200757p30ffded4y8b0f34b157fa4dc4@mail.gmail.com>
In-Reply-To: <a84d7bc61001200757p30ffded4y8b0f34b157fa4dc4@mail.gmail.com>
X-Enigmail-Version: 0.96.0
OpenPGP: id=1E36DBF2
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: tls@ietf.org
Subject: Re: [TLS] Next protocol negotiation
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Jan 2010 16:26:29 -0000
Adam Langley wrote: > On Wed, Jan 20, 2010 at 7:39 AM, Nikos Mavrogiannopoulos > <nmav@gnutls.org> wrote: >> Ok now I see your point. However I still suggest solving issues at the >> appropriate layer, even that has some performance cost. > > The appropriate layer for protocol disambiguation is TCP. > Unfortunately, this mechanism has stopped functioning for practical > purposes and we're aware that we aren't the only group facing this > problem. One point of view is that firewall admins are ports because of their intentional policies and it is their right to control what goes on on their own network. Port 443 is going to be less useful over time as more sites deploy SSL-inspecting proxies. I don't particularly like that point of view, but it does seem to be the reality. So we have a situation where people desiring to make a new simple, secure protocol have to smuggle their traffic (even outbound connections) like some kind of malware. Once we're honest about what we're doing, other options might be available: Port 443 to a proxy server with the CONNECT verb usually works. It is rumored that many firewalls will pass anything over port 53. On many corporate Windows PCs, the 'proxy server' info available in the registry is the only reliable way to make outbound connections. > Burning an additional round trip on protocol discovery is unacceptable > for us[1]. 200ms is a good round-trip time on a 3G network and the > nature of web content means that progressive discovery of additional > resources amplifies this delay. > > Also, consider that without a suitable mechanism, we might be > condemning future protocols to forever limiting their initial > handshake to something that is HTTP compatible. You might also be able to use HTTPS to tunnel to an appropriate proxy. > We (Google) don't mind > putting in the work to make more fundamental changes but others, > perhaps, would choose not to for reasons of expediency, and would pay > this technical debt forever more. > > [1] http://googleblog.blogspot.com/2009/06/lets-make-web-faster.html Thank you guys for caring about 200ms of my finite lifetime. - Marsh
- [TLS] Next protocol negotiation Adam Langley
- [TLS] Next protocol negotiation Adam Langley
- Re: [TLS] Next protocol negotiation Nikos Mavrogiannopoulos
- Re: [TLS] Next protocol negotiation Adam Langley
- Re: [TLS] Next protocol negotiation Nikos Mavrogiannopoulos
- Re: [TLS] Next protocol negotiation Adam Langley
- Re: [TLS] Next protocol negotiation Marsh Ray
- Re: [TLS] Next protocol negotiation Steve Dispensa
- Re: [TLS] Next protocol negotiation Adam Langley
- Re: [TLS] Next protocol negotiation Marsh Ray
- Re: [TLS] Next protocol negotiation Yoav Nir
- Re: [TLS] Next protocol negotiation Yoav Nir
- Re: [TLS] Next protocol negotiation Yoav Nir
- Re: [TLS] Next protocol negotiation Marsh Ray
- Re: [TLS] Next protocol negotiation Adam Langley
- Re: [TLS] Next protocol negotiation Adam Langley
- Re: [TLS] Next protocol negotiation Dean Anderson
- Re: [TLS] Next protocol negotiation Adam Langley
- Re: [TLS] Next protocol negotiation Dean Anderson
- Re: [TLS] Next protocol negotiation Adam Langley