Re: [TLS] Request for review: Next Protocol Negotiation Extension
"Brian Smith" <brian@briansmith.org> Tue, 17 August 2010 21:00 UTC
Return-Path: <brian@briansmith.org>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id ECCEE3A6A28 for <tls@core3.amsl.com>; Tue, 17 Aug 2010 14:00:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.917
X-Spam-Level:
X-Spam-Status: No, score=-1.917 tagged_above=-999 required=5 tests=[AWL=0.682, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eIWQWTaMVyGt for <tls@core3.amsl.com>; Tue, 17 Aug 2010 14:00:16 -0700 (PDT)
Received: from mxout-08.mxes.net (mxout-08.mxes.net [216.86.168.183]) by core3.amsl.com (Postfix) with ESMTP id A70553A6A27 for <tls@ietf.org>; Tue, 17 Aug 2010 14:00:16 -0700 (PDT)
Received: from T60 (unknown [98.200.150.199]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id F332A509DD for <tls@ietf.org>; Tue, 17 Aug 2010 17:00:44 -0400 (EDT)
From: Brian Smith <brian@briansmith.org>
To: tls@ietf.org
References: <AANLkTi=5H_0hGzxMmfNU0hLS=5psW6J3c2to756OT--7@mail.gmail.com> <4C69938A.9080808@gnutls.org> <AANLkTin3eQHNJPuVuVw09FbPUF4RBk7n9RFbc7EaFbM+@mail.gmail.com> <AANLkTi=dfCZNndm678OFkCZdzRhzfmRvBmZVLUD5-ueF@mail.gmail.com> <4C6AB936.1070801@extendedsubset.com> <AANLkTimgjqQMdwqL_xZXGSG5hSMLqDtYH62t698e_hx9@mail.gmail.com> <4C6AD7EA.4040307@extendedsubset.com>
In-Reply-To: <4C6AD7EA.4040307@extendedsubset.com>
Date: Tue, 17 Aug 2010 16:00:44 -0500
Message-ID: <000401cb3e4f$456f6d60$d04e4820$@briansmith.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQGWKjOVVsWlkADqERmWe4yahRG/kwH2Dft9AmJ6878B5ufhUAHf9aKTAfVlzHUCrgr6SwHvYtPE
Content-Language: en-us
Subject: Re: [TLS] Request for review: Next Protocol Negotiation Extension
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Aug 2010 21:00:18 -0000
Marsh Ray wrote: > On 08/17/2010 11:49 AM, Adam Barth wrote: > Run protocols on their designated port. Don't overload port numbers. > Don't allow unauthenticated connections to do anything significant (like send > mail) on any port (source IP does not count as authentication). > Don't allow web pages to initiate arbitrary connections. Following these guidelines would subject the client and server to very simple and effective DoS attacks, which are already so common that we accept them as part of the status quo. Relying on these guidelines would subject the client and server to cross-protocol attacks unless everybody else in the world follows them. > Is there an example of a use for this protocol which is, in fact, highly latency- > sensitive on the very first connection to the app server of the session? Google, Amazon.com, and others claim significant decreases in revenue that correlate with increases in latency of 100ms or even less. > To a large extent it seems the motivation here is to overlay another namespace > of type opaque <0..255> for negotiating app layer protocols separate from the > well-known port assignments thus bypassing the IANA and the control of > firewalls and site admins. Firewall and HTTP proxy administrators are the attackers in the scenarios that are being defended against. Not every Firewall or proxy is benevolent, and even many that aren't intentionally malicious are harmful due to poor implementation or configuration. > I know WebSockets isn't on trial here, but it seems like one of the main > justifications for NPN. I think it would be better for this discussion to focus on the actual security improvements that this extension enables for all protocols. Otherwise, too much discussion will be about alternatives that work for WebSockets but don't solve the same problems for other protocols. Here are the attacks that this extension helps mitigate: 1. Denial of service caused by a MitM that selectively allows traffic based on the port number; i.e. the firewall attack. This extension allows the client and server to work around the firewall attack if the attacker has left any opening, which they almost always do. 2. Traffic analysis that allows a MitM to determine the user's actions even when the communication is taking place over TLS, using the port number and/or plaintext information sent in the TLS handshake (SNI extension, certificates, etc.). For example, currently it isn't possible to build a system that uses SMTP and IMAP but which hides the user's action (sending or receiving) from a MitM; this extension (or a similar one) would enable implementations to make such traffic analysis significantly more difficult and hopefully prohibitively expensive, especially if used in conjunction with a careful padding scheme. 3. Cross-protocol attacks as described by Adam. This extension allows the client and server to explicitly specify what protocol they expect to be used on the connection. This is a useful feature even for applications that don't want to support overloading ports with multiple protocols. It is difficult to extend application layer protocols with these cross-protocol attack protections, because those extensions themselves may be exploitable with cross-protocol attacks. It is hard to believe that a significant number of attacks can be prevented simply by using port 443 for everything. But, it would really work a lot of the time; it is difficult for the attacker to counteract this defense, because often the attacker has a business or political need to avoid disrupting HTTPS on port 443; otherwise they would have disabled that already. The amazing ability of Skype to punch through firewalls is partly due to such port 443 tunneling. One thing I will say about this extension in conjunction with WebSockets: I think that it is unrealistic to expect many service providers to enable or require TLS simply for the privacy benefits of their users. Many service providers do not care about their users' privacy enough to spend any extra money to protect it. If this extension becomes the standard way to enable interoperable WebSockets support, then even service providers that are apathetic about MitM protection might having a compelling reason to use TLS. Then their end-users can enjoy improved privacy and better authentication of servers when otherwise it may never be made available for them. I think this could result in a snowball effect that would make encrypted and server-authenticated communication much more common or even eventually ubiquitous. I think the chance that this happening is reason enough to integrate this mechanism into TLS. Cheers, Brian
- [TLS] Request for review: Next Protocol Negotiati… Adam Barth
- Re: [TLS] Request for review: Next Protocol Negot… Eric Rescorla
- Re: [TLS] Request for review: Next Protocol Negot… Adam Langley
- Re: [TLS] Request for review: Next Protocol Negot… Michael D'Errico
- Re: [TLS] Request for review: Next Protocol Negot… Adam Langley
- Re: [TLS] Request for review: Next Protocol Negot… Brian Smith
- Re: [TLS] Request for review: Next Protocol Negot… Michael D'Errico
- Re: [TLS] Request for review: Next Protocol Negot… Marsh Ray
- Re: [TLS] Request for review: Next Protocol Negot… Peter Sylvester
- Re: [TLS] Request for review: Next Protocol Negot… Brian Smith
- Re: [TLS] Request for review: Next Protocol Negot… Nikos Mavrogiannopoulos
- Re: [TLS] Request for review: Next Protocol Negot… Adam Langley
- Re: [TLS] Request for review: Next Protocol Negot… Adam Langley
- Re: [TLS] Request for review: Next Protocol Negot… Brian Smith
- Re: [TLS] Request for review: Next Protocol Negot… Brian Smith
- Re: [TLS] Request for review: Next Protocol Negot… Adam Langley
- Re: [TLS] Request for review: Next Protocol Negot… Adam Barth
- Re: [TLS] Request for review: Next Protocol Negot… Martin Rex
- Re: [TLS] Request for review: Next Protocol Negot… Michael D'Errico
- Re: [TLS] Request for review: Next Protocol Negot… Steingruebl, Andy
- Re: [TLS] Request for review: Next Protocol Negot… Eric Rescorla
- Re: [TLS] Request for review: Next Protocol Negot… Michael D'Errico
- Re: [TLS] Request for review: Next Protocol Negot… Geoffrey Keating
- Re: [TLS] Request for review: Next Protocol Negot… Martin Rex
- Re: [TLS] Request for review: Next Protocol Negot… Nikos Mavrogiannopoulos
- Re: [TLS] Request for review: Next Protocol Negot… Marsh Ray
- Re: [TLS] Request for review: Next Protocol Negot… Adam Barth
- Re: [TLS] Request for review: Next Protocol Negot… Brian Smith
- Re: [TLS] Request for review: Next Protocol Negot… Marsh Ray
- Re: [TLS] Request for review: Next Protocol Negot… Adam Langley
- Re: [TLS] Request for review: Next Protocol Negot… Marsh Ray
- Re: [TLS] Request for review: Next Protocol Negot… Brian Smith
- Re: [TLS] Request for review: Next Protocol Negot… Michael D'Errico
- Re: [TLS] Request for review: Next Protocol Negot… Marsh Ray
- Re: [TLS] Request for review: Next Protocol Negot… Adam Barth
- Re: [TLS] Request for review: Next Protocol Negot… Michael D'Errico
- Re: [TLS] Request for review: Next Protocol Negot… Adam Barth
- Re: [TLS] Request for review: Next Protocol Negot… Marsh Ray
- Re: [TLS] Request for review: Next Protocol Negot… Adam Barth
- Re: [TLS] Request for review: Next Protocol Negot… Juho Vähä-Herttua
- Re: [TLS] Request for review: Next Protocol Negot… Brian Smith
- Re: [TLS] Request for review: Next Protocol Negot… Marsh Ray
- Re: [TLS] Request for review: Next Protocol Negot… Adam Langley
- Re: [TLS] Request for review: Next Protocol Negot… Adam Langley
- Re: [TLS] Request for review: Next Protocol Negot… Michael D'Errico
- Re: [TLS] Request for review: Next Protocol Negot… Adam Langley
- Re: [TLS] Request for review: Next Protocol Negot… Michael D'Errico
- Re: [TLS] Request for review: Next Protocol Negot… Adam Langley
- Re: [TLS] Request for review: Next Protocol Negot… Michael D'Errico
- Re: [TLS] Request for review: Next Protocol Negot… Nathaniel W Filardo
- Re: [TLS] Request for review: Next Protocol Negot… Marsh Ray
- Re: [TLS] Request for review: Next Protocol Negot… Adam Barth
- Re: [TLS] Request for review: Next Protocol Negot… Michael D'Errico
- Re: [TLS] Request for review: Next Protocol Negot… Marsh Ray
- Re: [TLS] Request for review: Next Protocol Negot… Nathaniel W Filardo
- Re: [TLS] Request for review: Next Protocol Negot… Martin Rex
- Re: [TLS] Request for review: Next Protocol Negot… Peter Gutmann
- Re: [TLS] Request for review: Next Protocol Negot… Marsh Ray
- Re: [TLS] Request for review: Next Protocol Negot… Martin Rex
- Re: [TLS] Request for review: Next Protocol Negot… Marsh Ray
- Re: [TLS] Request for review: Next Protocol Negot… Michael D'Errico