Re: [TLS] How ALPN makes the http2-tls-relaxed option less secure, compared to NPN (was Re: ALPN concerns)

Andrei Popov <> Mon, 09 December 2013 21:00 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 1465B1AE565 for <>; Mon, 9 Dec 2013 13:00:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 5RGNnh00aIqK for <>; Mon, 9 Dec 2013 13:00:01 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 38BF51AE521 for <>; Mon, 9 Dec 2013 13:00:01 -0800 (PST)
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.837.10; Mon, 9 Dec 2013 20:59:55 +0000
Received: from ([]) by ([]) with mapi id 15.00.0837.004; Mon, 9 Dec 2013 20:59:55 +0000
From: Andrei Popov <>
To: Alfredo Pironti <>, Brian Smith <>
Thread-Topic: [TLS] How ALPN makes the http2-tls-relaxed option less secure, compared to NPN (was Re: ALPN concerns)
Date: Mon, 9 Dec 2013 20:59:54 +0000
Message-ID: <>
References: <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: [2001:4898:80e8:ed31::3]
x-forefront-prvs: 00550ABE1F
x-forefront-antispam-report: SFV:NSPM; SFS:(10009001)(13464003)(377454003)(51704005)(52604005)(199002)(189002)(24454002)(87266001)(53806001)(63696002)(74316001)(74366001)(49866001)(76576001)(47736001)(47976001)(81342001)(80976001)(51856001)(46102001)(19580395003)(15202345003)(2656002)(4396001)(74876001)(15975445006)(54356001)(81686001)(19580405001)(83322001)(74706001)(81816001)(47446002)(90146001)(54316002)(56776001)(74502001)(56816005)(77982001)(33646001)(59766001)(76786001)(31966008)(87936001)(74662001)(79102001)(81542001)(50986001)(85306002)(76482001)(76796001)(69226001)(80022001)(65816001)(83072002)(85852003)(3826001)(24736002)(376185003); DIR:OUT; SFP:1101; SCL:1; SRVR:BL2PR03MB417;; CLIP:2001:4898:80e8:ed31::3; FPR:; RD:InfoNoRecords; A:1; MX:1; LANG:en;
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "<>" <>, Peter Gutmann <>
Subject: Re: [TLS] How ALPN makes the http2-tls-relaxed option less secure, compared to NPN (was Re: ALPN concerns)
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 09 Dec 2013 21:00:03 -0000

To add to Alfredo's points, the problem is that http2-tls-relaxed is explicitly MITM-able by design, and is intended only to prevent passive attacks.

If I understand correctly, an active attacker can prevent http2-tls-relaxed from happening by manipulating Alt-Svc headers, regardless of whether ALPN or NPN is used.



-----Original Message-----
From: TLS [] On Behalf Of Alfredo Pironti
Sent: Monday, December 9, 2013 8:41 AM
To: Brian Smith
Cc: Peter Gutmann; <>
Subject: Re: [TLS] How ALPN makes the http2-tls-relaxed option less secure, compared to NPN (was Re: ALPN concerns)

Hi Brian,

Thanks for clarifying, I now understand the use case you were referring to. I especially missed case 1. I have further comments, that I put inline.

On Mon, Dec 9, 2013 at 5:10 PM, Brian Smith <> wrote:
> On Mon, Dec 9, 2013 at 7:23 AM, Alfredo Pironti <> wrote:
>>> The case where the server does not use a certificate that the client 
>>> would verify correctly as it would in the "normal" HTTPS case is not 
>>> interesting. However, the case where opportunistic encryption is 
>>> being used with a certificate that *is* valid (as defined by 
>>> RFC5280, et
>>> al.) is interesting.
>> I think this pre-condition makes your counter-example invalid.
>> A client that only accepts valid certificates is in practice only 
>> implementing http2, not http2-tls-relaxed, in that client's behavior 
>> doesn't change.
> Let's say the client is connecting to using TLS. There 
> are two interesting possibilities:
> 1. The client could be resolving an http:// link that uses 
> opportunistic encryption. In this case, if the client supports 
> opportunistic encryption, the client would support "http2-tls-relaxed"
> and "http2-tls" (and "http1-tls") and a MitM attack, if attempted, 
> would succeed.
> 2. The client could be resolving an https:// link. In this case, the 
> client would only support "http2-tls" (and "http1-tls") and a MitM 
> attack, if attempted, would fail in a end-user-notable way.
> With ALPN, it is trivial for the MitM to determine which case it is 
> and act accordingly. With NPN, it is not trivial (it requires 
> correlating data from multiple connections) and in many cases it may 
> be impossible (e.g. when an HTTP cache has stored the response with 
> the alternate-service upgrade header).

With ALPN, the client could always send both "http2-tls-relaxed" and "http2", making its behavior indistinguishable in cases 1 and 2. Isn't this enough to make your attacker desist?

For functionality, you may say that allowing "http2-tls-relaxed" in case 2 may lead the server to send an invalid certificate when it could have sent a valid one (and so one needs to distinguish the two cases). Do we have a realistic scenario of this? I mean: a server that prefers a "mitm-able" connection over a more secure one. A case where the server would send a invalid certificate to disguise its identity doesn't seem to work, because any further "http2"-only connection (from any unauthenticated client) may reveal its identity anyway.

(I don't want to defend ALPN at all costs, but maybe what I propose is enough to satisfy your use case? I'd prefer to conceal the upper protocol from the attacker, but this has to be done at the same security that other TLS-protected data get, and I find NPN does not quite achieve this.)


>> Indeed, but under the assumption that only valid certificates are 
>> accepted, the behaviors coincide to "http2".
> In the case of opportunistic encryption, we would support both valid 
> and invalid certificates. In the case of normal "http2-tls" and 
> "http1-tls", we would support only valid certificates.
> Cheers,
> Brian
> --
> Mozilla Networking/Crypto/Security (Necko/NSS/PSM)
TLS mailing list