Re: [TLS] A new consensus call on ALPN vs NPN (was ALPN concerns)
Alyssa Rowan <akr@akr.io> Thu, 12 December 2013 20:55 UTC
Return-Path: <akr@akr.io>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 95D4B1AE4C5 for <tls@ietfa.amsl.com>; Thu, 12 Dec 2013 12:55:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GYOca9UYOTfh for <tls@ietfa.amsl.com>; Thu, 12 Dec 2013 12:55:31 -0800 (PST)
Received: from entima.net (entima.net [78.129.143.175]) by ietfa.amsl.com (Postfix) with ESMTP id 9174E1AE4AE for <tls@ietf.org>; Thu, 12 Dec 2013 12:55:31 -0800 (PST)
Received: from [10.10.42.10] (cpc5-derb12-2-0-cust796.8-3.cable.virginm.net [82.31.91.29]) by entima.net (Postfix) with ESMTPSA id 3CE7D60443 for <tls@ietf.org>; Thu, 12 Dec 2013 20:55:24 +0000 (GMT)
Message-ID: <52AA22C4.3000500@akr.io>
Date: Thu, 12 Dec 2013 20:55:32 +0000
From: Alyssa Rowan <akr@akr.io>
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
MIME-Version: 1.0
To: tls@ietf.org
References: <CAFewVt7SS9ud8J=6VtR-Zv-9bhaTHEnjT8XD+ULaRSVUkYftaQ@mail.gmail.com> <CABcZeBM=gOZrm1EGDSer2RmGsbOoxPDSQK5t-+LZmWaB6a_swQ@mail.gmail.com> <CAFewVt6ufrcteLfKA+r_7kby3fNRcwG410FJ1enu=pVO=xeBBQ@mail.gmail.com> <CABcZeBN=xvFG_515immvF_FuUvGXnDThrWnj_rr8Ct8Wi1jnoA@mail.gmail.com> <CA+BZK2rusGfDVAEA3vM4+WJU_Gmve2Z7P+ZEyBWBiyEEZzmsuA@mail.gmail.com> <C634E116-DF05-4325-80DB-0ECA5AFEC3FC@checkpoint.com> <1386864521.31585.57.camel@dhcp-2-127.brq.redhat.com>
In-Reply-To: <1386864521.31585.57.camel@dhcp-2-127.brq.redhat.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Subject: Re: [TLS] A new consensus call on ALPN vs NPN (was ALPN concerns)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Dec 2013 20:55:35 -0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi. Watching this list since IETF 88, I note with some interest Eric's and Sean's responses to Brian's email raising profound concerns about the consensus call on ALPN and asking for a reconsideration and new consensus call. With the greatest of respect, saying no new 'substantive' or 'material' information which might warrant a re-examination of this issue has come to light since early September - in the light of the Snowden revelations and the IETF 88 "Hardening The Internet" Technical Plenary and its landmark discussions, mind you - is quite plainly wrong. It could not be more significant to the internet in general, and this working group in particular. We know Nation State Adversaries [hereinafter NSA] are actively attacking the internet via surveillance; we know that they laugh in the face of existing TLS deployments; and we know they have backdoored and stymied multiple encryption products and standards before. I'm certain neither the chairs nor ADs would wish for their integrity and motivations to be questioned - but one could be forgiven for perceiving their responses as blatant railroading. We already know the NSA have previously manipulated cryptographic standards to weaken them to their advantage, and it worries me that any such manipulation (were it to occur) would look exactly like this, and that the chair and ADs would be obvious targets. That troubles me. It should trouble you, too. It was clear from IETF 88 that the advantage of the open process in developing cryptographic standards is trust. We should never squander that trust by acting rashly and standardising a metadata extension to the most widely-used cryptographic protocol without properly addressing the very real concerns raised - and, where necessary, stopping, rewinding, pausing, and reconsidering to make sure that whatever we decide, we do so as carefully and knowledgeably as possible. With that in mind, I note the comments of others, and shall add my own. I'll try to keep my thoughts to bullets here. The core issue: • Using ALPN clearly identifies encapsulated protocol metadata to Eve. • Using NPN does not. - The most widespread NSA attacks, by far, are passive eavesdropping. - Metadata = surveillance¹. · Even small amounts of metadata can be surprisingly dangerous. · Especially in aggregate. - How much of a vulnerability is knowing what protocol is inside TLS? · Passive target fingerprinting · Known-plaintext = potential trouble spot for wobbly stream cipher? - Where practical, we should design protocols to protect metadata². - Any protocol might use it, NOT just HTTP/1 vs. HTTP/2: · Example: WebSockets, already live in-the-wild [NPN, often w/SPDY]. · Many, many other protocols use TLS to protect them too. · Some other protocols also use TCP/443; firewalls tend to allow it. · ALPN/NPN are both apt solutions for them to identify their nature. · If you want to keep it just to HTTP/1 or HTTP/2, say so with MUST. * And then don't we only need one bit? ;) • Where might ALPN be better than NPN? - Deployment: · Simple. Hard to overcomplicate TLS 1.2 extension with plaintext. - To TLS endpoint server: · Maybe faster? How much faster? - To an untrusted third party: · Protocol filtering firewall. (notably, a Great Firewall) · NSA, running Blue Coat, Narus or X-KEYSCORE en masse. · Simplifies stream reconstruction, especially with multiplexing * Much worse for Tor. Tor would have to lie about ALPN. - To a trusted third party that doesn't speak TLS e.g. load balancer: · Identify encapsulated protocol, plaintext, without speaking TLS. · When is that useful? Multiplexed TCP/443 encapsulating protocol? * But why TCP/443? Because of protocol filtering firewalls. + They stop stuff working. + Arguably this is what firewalls are supposed to do. + As above: Not all firewalls are authorised/desirable. + Compare interaction of IPv4 exhaustion/NAT/inbound. * But ALPN lets protocol filtering firewalls see inside! + Benefit of TCP/443 muxing removed by ALPN firewall support. + Those with something to hide must lie about ALPN if mandatory. * So we might as well just use another TCP port. Or another DNS. + Interactions with SNI. Future TLS 1.3 SNI encryption? + Interactions with DNS/DNSSEC/DNScurve or something else? * Am I missing something here? WebSockets? * In big load-balancer, would TLS endpoint do better? Don't know. • Where might NPN be better than ALPN? - Deployment: · Negative: Significantly more complex than ALPN. · But widely deployed already, thanks to SPDY drafts and WebSockets. · Patches already available for numerous TLS libraries. - To TLS endpoint server: · Maybe slightly slower? How much slower? - To an untrusted third party: · Both firewall and NSA have to guess protocol via traffic analysis · Complicates stream reconstruction, especially with multiplexing * Tor would be able to actually use NPN, potentially? - To a trusted third party that doesn't speak TLS e.g. load balancer: · Can't identify encapsulated protocol without speaking TLS/keys. · When is that useful? Scenarios which ALPN disallows if supported. • Whatever picked, we're stuck with it, if TLS 1.2 still supported. - The HTTP/2 effect. Huge. - Need to consider in light of TLS 1.3 as well. · Hard to deprecate ALPN if firewalls filter lack-of-ALPN. - But TLS 1.3 wants to encrypt as much of the handshake as possible³. · This goal is in direct conflict with more plaintext metadata. · Suggestive that TLS 1.3 perhaps MUST NOT support ALPN? · So why add it now, to have a really hard time binning it later? - Bigger handshake for implementing both. Pick one good one. • Proposal to implement ALPN & just lie as standard practice: - I think that proposal is silly. - We'd need to implement NPN as well, later. - Wouldn't we be better off just implementing NPN instead? I personally lean strongly towards NPN myself, for the above reasons. Others will no doubt have comments on my reasons, or have different reasons, and may or may not come to the same decision. Most importantly, whatever is ultimately chosen, I want it to be chosen openly, transparently, and with reasons like the above, and everything new that has come to light since the initial consensus call, properly and publicly considered. Thank you. ___ 1. A snappy comment courtesy of [Schenier] <https://www.schneier.com/blog/archives/2013/09/metadata_equals.html>; also, comments at IETF 88 Technical Plenary. 2. [Perpass] IETF 88 T/P Hum; resulting proposed BCP <http://tools.ietf.org/html/draft-farrell-perpass-attack-00> 3. Proposed updated TLS WG charter drafts; IETF 88 discussions. - -- /akr -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJSqiLDAAoJEOyEjtkWi2t6LQwP/RFF3it6pzgLh4Xcf53MjqLI PZpKSOmzEiwcQgFDWuMKoorvW10bjZ0PWaRXx5Xvi5eMQ9gQZLFL8y18I4Ps03C6 vruBL/7Sv/ZZ3CSUY+qGHkpExQdAoPjlcokur8zV0LvqJIof2RuSqTmHq7hz2ITm sKtWVl87ZJYDSOeFnsx8Aijse3Bc8Ow4v6ib8qpwxE5NgAamSiV3hPxiyXqxzRa7 BAhSuIviX3WDjWTvj5l6USMQaVQBDO5VXaT+4opUr+uZysuFMJNoOcu8asnD5IgB 4tKus3U2ZDgOpTf6BK1rcjfxnIsPBc9Er9mqYmAPi9Vm7zXPVz/wwjfVsZ5uRUoY qyyIJS/OjNkQVbykZsuwRHpV6ZJ6AzaItrHeXGMluTrs/zvYughjA4aw0jfNDeO/ wlg70nomu9cxSDjPIshInYpkBGM1UKlpLMfMvO5ml7ERATZTUTXHkNhbbErcyfNq 7U3MENqDKG0jERjwt3dvM1g6+SZWu1UuSelZMwZd6jh84mmn1fJ9A0tnLGDxJQ64 QGHKO/g55GRL6q6T+dVTGibuqrwaKpaL4R3zuWeBB80d2URIEMQXxTxlqpVSYCr1 khd5m+WHOMPgRMuITW4dWxvSXgIAGkyMxWOtb711dPL8BEBNqvGVTQPNIPsPuuI4 0fIhJBRhRyHXvuJp6fj/ =cTIx -----END PGP SIGNATURE-----
- [TLS] A new consensus call on ALPN vs NPN (was AL… Brian Smith
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Hannes Tschofenig
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Tom Ritter
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Stephen Farrell
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Eric Rescorla
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Daniel Kahn Gillmor
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Stephen Farrell
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Brian Smith
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Yoav Nir
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Bill Frantz
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Daniel Kahn Gillmor
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Yoav Nir
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Brian Smith
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Watson Ladd
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Brian Smith
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Brian Smith
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Wan-Teh Chang
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Paul Hoffman
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Watson Ladd
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Eric Rescorla
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Ralf Skyper Kaiser
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Yoav Nir
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Nikos Mavrogiannopoulos
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Alyssa Rowan
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Stephan Friedl (sfriedl)
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Bill Frantz