IETF Logo Mail Archive

Re: [TLS] Request for review: Next Protocol Negotiation Extension

"Brian Smith" <brian@briansmith.org> Tue, 17 August 2010 21:00 UTC

Return-Path: <brian@briansmith.org>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id ECCEE3A6A28 for <tls@core3.amsl.com>; Tue, 17 Aug 2010 14:00:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.917
X-Spam-Level:
X-Spam-Status: No, score=-1.917 tagged_above=-999 required=5 tests=[AWL=0.682, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eIWQWTaMVyGt for <tls@core3.amsl.com>; Tue, 17 Aug 2010 14:00:16 -0700 (PDT)
Received: from mxout-08.mxes.net (mxout-08.mxes.net [216.86.168.183]) by core3.amsl.com (Postfix) with ESMTP id A70553A6A27 for <tls@ietf.org>; Tue, 17 Aug 2010 14:00:16 -0700 (PDT)
Received: from T60 (unknown [98.200.150.199]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id F332A509DD for <tls@ietf.org>; Tue, 17 Aug 2010 17:00:44 -0400 (EDT)
From: Brian Smith <brian@briansmith.org>
To: tls@ietf.org
References: <AANLkTi=5H_0hGzxMmfNU0hLS=5psW6J3c2to756OT--7@mail.gmail.com> <4C69938A.9080808@gnutls.org> <AANLkTin3eQHNJPuVuVw09FbPUF4RBk7n9RFbc7EaFbM+@mail.gmail.com> <AANLkTi=dfCZNndm678OFkCZdzRhzfmRvBmZVLUD5-ueF@mail.gmail.com> <4C6AB936.1070801@extendedsubset.com> <AANLkTimgjqQMdwqL_xZXGSG5hSMLqDtYH62t698e_hx9@mail.gmail.com> <4C6AD7EA.4040307@extendedsubset.com>
In-Reply-To: <4C6AD7EA.4040307@extendedsubset.com>
Date: Tue, 17 Aug 2010 16:00:44 -0500
Message-ID: <000401cb3e4f$456f6d60$d04e4820$@briansmith.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQGWKjOVVsWlkADqERmWe4yahRG/kwH2Dft9AmJ6878B5ufhUAHf9aKTAfVlzHUCrgr6SwHvYtPE
Content-Language: en-us
Subject: Re: [TLS] Request for review: Next Protocol Negotiation Extension
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Aug 2010 21:00:18 -0000

Marsh Ray wrote:
> On 08/17/2010 11:49 AM, Adam Barth wrote:
> Run protocols on their designated port. Don't overload port numbers.
> Don't allow unauthenticated connections to do anything significant (like
send
> mail) on any port (source IP does not count as authentication).
> Don't allow web pages to initiate arbitrary connections.

Following these guidelines would subject the client and server to very
simple and effective DoS attacks, which are already so common that we accept
them as part of the status quo. Relying on these guidelines would subject
the client and server to cross-protocol attacks unless everybody else in the
world follows them.

> Is there an example of a use for this protocol which is, in fact, highly
latency-
> sensitive on the very first connection to the app server of the session?

Google, Amazon.com, and others claim significant decreases in revenue that
correlate with increases in latency of 100ms or even less. 

> To a large extent it seems the motivation here is to overlay another
namespace
> of type opaque <0..255> for negotiating app layer protocols separate from
the
> well-known port assignments thus bypassing the IANA and the control of
> firewalls and site admins.

Firewall and HTTP proxy administrators are the attackers in the scenarios
that are being defended against. Not every Firewall or proxy is benevolent,
and even many that aren't intentionally malicious are harmful due to poor
implementation or configuration.

> I know WebSockets isn't on trial here, but it seems like one of the main
> justifications for NPN.

I think it would be better for this discussion to focus on the actual
security improvements that this extension enables for all protocols.
Otherwise, too much discussion will be about alternatives that work for
WebSockets but don't solve the same problems for other protocols. Here are
the attacks that this extension helps mitigate:

1. Denial of service caused by a MitM that selectively allows traffic based
on the port number; i.e. the firewall attack. This extension allows the
client and server to work around the firewall attack if the attacker has
left any opening, which they almost always do.

2. Traffic analysis that allows a MitM to determine the user's actions even
when the communication is taking place over TLS, using the port number
and/or plaintext information sent in the TLS handshake (SNI extension,
certificates, etc.). For example, currently it isn't possible to build a
system that uses SMTP and IMAP but which hides the user's action (sending or
receiving) from a MitM; this extension (or a similar one) would enable
implementations to make such traffic analysis significantly more difficult
and hopefully prohibitively expensive, especially if used in conjunction
with  a careful padding scheme.

3. Cross-protocol attacks as described by Adam. This extension allows the
client and server to explicitly specify what protocol they expect to be used
on the connection. This is a useful feature even for applications that don't
want to support overloading ports with multiple protocols. It is difficult
to extend application layer protocols with these cross-protocol attack
protections, because those extensions themselves may be exploitable with
cross-protocol attacks.

It is hard to believe that a significant number of attacks can be prevented
simply by using port 443 for everything. But, it would really work a lot of
the time; it is difficult for the attacker to counteract this defense,
because often the attacker has a business or political need to avoid
disrupting HTTPS on port 443; otherwise they would have disabled that
already. The amazing ability of Skype to punch through firewalls is partly
due to such port 443 tunneling.

One thing I will say about this extension in conjunction with WebSockets: I
think that it is unrealistic to expect many service providers to enable or
require TLS simply for the privacy benefits of their users. Many service
providers do not care about their users' privacy enough to spend any extra
money to protect it. If this extension becomes the standard way to enable
interoperable WebSockets support, then even service providers that are
apathetic about MitM protection might having a compelling reason to use TLS.
Then their end-users can enjoy improved privacy and better authentication of
servers when otherwise it may never be made available for them. I think this
could result in a snowball effect that would make encrypted and
server-authenticated communication much more common or even eventually
ubiquitous. I think the chance that this happening is reason enough to
integrate this mechanism into TLS.

Cheers,
Brian

v2.23.0 | Report a Bug | By Email