IETF Logo Mail Archive

Re: [TLS] Bakeoffs

Michael Sweet <msweet@apple.com> Thu, 17 April 2014 15:31 UTC

Return-Path: <msweet@apple.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 82A231A027F for <tls@ietfa.amsl.com>; Thu, 17 Apr 2014 08:31:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.573
X-Spam-Level:
X-Spam-Status: No, score=-4.573 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.272, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZwnEl4eacW0k for <tls@ietfa.amsl.com>; Thu, 17 Apr 2014 08:31:00 -0700 (PDT)
Received: from mail-out.apple.com (honeycrisp.apple.com [17.151.62.51]) by ietfa.amsl.com (Postfix) with ESMTP id 8EC5F1A025D for <tls@ietf.org>; Thu, 17 Apr 2014 08:30:58 -0700 (PDT)
MIME-version: 1.0
Received: from mail-out.apple.com by local.mail-out.apple.com (Oracle Communications Messaging Server 7.0.5.30.0 64bit (built Oct 22 2013)) id <0N4600F00LILQO00@local.mail-out.apple.com> for tls@ietf.org; Thu, 17 Apr 2014 08:30:45 -0700 (PDT)
Received: from relay2.apple.com ([17.128.113.67]) by local.mail-out.apple.com (Oracle Communications Messaging Server 7.0.5.30.0 64bit (built Oct 22 2013)) with ESMTP id <0N4600DAHLR5PQR0@local.mail-out.apple.com> for tls@ietf.org; Thu, 17 Apr 2014 08:30:45 -0700 (PDT)
X-AuditID: 11807143-f79f66d0000015d3-07-534ff3a5eacc
Received: from sesame.apple.com (sesame.apple.com [17.128.115.128]) (using TLS with cipher RC4-MD5 (128/128 bits)) (Client did not present a certificate) by relay2.apple.com (Apple SCV relay) with SMTP id B1.91.05587.5A3FF435; Thu, 17 Apr 2014 08:30:45 -0700 (PDT)
Received: from [17.153.49.162] (unknown [17.153.49.162]) by sesame.apple.com (Oracle Communications Messaging Server 7u4-24.01 (7.0.4.24.0) 64bit (built Nov 17 2011)) with ESMTPSA id <0N4600LOGLR7QJ50@sesame.apple.com> for tls@ietf.org; Thu, 17 Apr 2014 08:30:45 -0700 (PDT)
Content-type: multipart/signed; boundary="Apple-Mail=_93F75697-B4CD-4104-A2E2-47ACB631AD46"; protocol="application/pkcs7-signature"; micalg="sha1"
From: Michael Sweet <msweet@apple.com>
In-reply-to: <CAOdDvNoZ-jThwC15FCMr=jTTeiTKsM3wZMLtqCBdFX-=CXjaFg@mail.gmail.com>
Date: Thu, 17 Apr 2014 11:30:43 -0400
Message-id: <BF675D95-5C48-49B9-BA35-602C61122009@apple.com>
References: <FAD11A6F-DB65-4797-89C2-022DCDED266F@iii.ca> <CACsn0ck5u_Sy7tvAbiT0mwRz0rkw4ZBW23F3R8qBV0urFEq21w@mail.gmail.com> <2A0EFB9C05D0164E98F19BB0AF3708C7120B4905A5@USMBX1.msg.corp.akamai.com> <CAGZ8ZG1C8L1LW=H__FCiuK-Ywq_c63-pxW39QoCR6f0k1wd2Xg@mail.gmail.com> <534F09D6.1060308@akr.io> <CAGZ8ZG0kCxBa44cSrwF9kjsutp=ooR3QV98OWueFBZga79tMHA@mail.gmail.com> <CABkgnnWwm_z5czbH_=s8bBXMWDU_wGQLxAMh0Ay8VMqBDaywiw@mail.gmail.com> <7EBCF98B-FFE6-49D3-B899-A297C8AAA463@apple.com> <CAOdDvNoZ-jThwC15FCMr=jTTeiTKsM3wZMLtqCBdFX-=CXjaFg@mail.gmail.com>
To: Patrick McManus <pmcmanus@mozilla.com>
X-Mailer: Apple Mail (2.1874)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrNLMWRmVeSWpSXmKPExsUi2FDcoLv0s3+wwdGJ2hafzncxOjB6LFny kymAMYrLJiU1J7MstUjfLoErY/Hqx0wF0/MrLk06y9LAeC+li5GTQ0LARKJ37hdGCFtM4sK9 9WwgtpBAH5PEt8XiXYxcQPYsJolJ3x6ygCSEBaQlbk7YxAxi8wroSZw5+4sdpIhZYAqjRNeD Q2CT2ATUJH5P6mMFsTkFgiXu7L0OFmcRUJWY3fUUbBCzgI/E76arUINsJCbevsIOsW0ri8SM axvAikQEtCSOLp3IDnGerMSjD00sExj5ZyFZPgvZ8llgg5MkWhvfskPY2hLLFr5mnsXIAWTr SExeyIgqDGF/PH+ECcI2lXjydjsbhG0t8XPOI6h6RYkp3Q/ZFzByrWIUKErNSaw00kssKMhJ 1UvOz93ECI6GQucdjMeWWR1iFOBgVOLh5fjtFyzEmlhWXJl7iFEFaMSjDasvMEqx5OXnpSqJ 8Lo89g8W4k1JrKxKLcqPLyrNSS0+xCjNwaIkzqvHDJQSSE8sSc1OTS1ILYLJMnFwSjUwJqef Tv40peKzzZHDZqXiFpavDeMvPDr9/vUCjpi5di/Y7k1Y+nvuR3Xe3wvqLnrff31mm1KOt7e8 9GWnkiXJ0suWbdMIe3szn3XtS6mtB6ZJqv1Unr9R+fPdy5oT66/yuSQtndr0ct9u+8/VN56+ WCxoU/0k69bSwLyu6J4Jx75GXemzXhQtKq7EUpyRaKjFXFScCAD0/3lAjgIAAA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=apple.com; s=mailout2048s-14-01; t=1397748645; bh=q6daZVYcAF4jUzMrdGo72B4VGLq2vUbpQ/5HUux/ayw=; h=Subject:From:In-reply-to:Date:Cc:References:To; b=aWHAw0WIJccUNwbCaVyWFTdLcWWCQT6eADcZvtzgzoe0g0oQ32VRrfYo7dRZ319Qi BPiVy7f6hybOGl1K9dnCpKGNsFXeYwMrrhDdU1V8IMqrySD/9en1Oc+hgL7wQ4Tac0 9hNZRwxJmO5UtBxHwky1iOFfYh7vqrrU6rWob63jsTaBr+220B6IjUdSBF2OCSr9nr hHEwThDYNaGmgjR51yLuTxzIeHke5uL0g7Z5Isn6rgRMtuMd4NzOQlQq+hmathbAYN zOQzDjIIqgFv7k7Nsjluntb8iz5ThvvwE4D6rwwIZ5M5r0uP+B7M9/TABPzp8GzQMQ 3c9RC4yg2crSA==
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/pW8J4dYjL3v-0axZSqDCYLH9R2Y
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Bakeoffs
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Apr 2014 15:31:02 -0000

Patrick,

On Apr 17, 2014, at 9:41 AM, Patrick McManus <pmcmanus@mozilla.com> wrote:
> 
> On Thu, Apr 17, 2014 at 8:19 AM, Michael Sweet <msweet@apple.com> wrote:
> >> FWIW, 1-RTT latency is mainly an issue when you have a browser making a dozen connections to a secure site.  With HTTP/2 that particular problem goes away...
> 
> As a browser guy I'll say I really disagree with that.

As a printer guy, I can definitely say that browsers opening dozens of connections is a major source of latency, since the printer's ability to respond to so many simultaneous connections is limited.  It's even worse when you tunnel connections over USB (IPP USB protocol) and have to multiplex requests over a limited number of channels (2 in most cases).

I'll grant that many web sites pull content from multiple servers/domains, in particular to support advertising, however it is uncommon (at least in my experience) to find all of a page's resources spread to different servers.

> HTTP/2 is important stuff, and helps hide part of the problem, but the latency issue continues to be an issue for HTTP over TLS use cases. Time to first byte of course, but also to each different referenced origin (the cdn, the third-party ad network, the identity provider, etc..). Often things that block layout are on that cdn (e.g. stylesheets, some javascript) so the time to perform 2 http transactions on 2 serialized tls terminated connections is often the same as time to first screen draw. Its considerably worse in mobile environments where RTT can be out of control.

Indeed, especially when you are opening dozens of connections before even doing a TLS handshake.

> Establishing TLS is noticeably slow, and that's a problem for the browser use case where https often competes against http for developer mind share. As a natural result, some content providers choose to run plaintext http which we can all agree is an undesirable outcome. Shrinking that gap will help.

Based on the push back in the HTTP/2 discussions on that subject, I don't think you'll get unanimous agreement on that. TLS has its place, and it is important for us to have a solid protocol to support confidential communications, but there are significant costs associated with TLS - performance, maintenance, power, money, etc. - that prevent it from being adopted wholesale today.

_________________________________________________________
Michael Sweet, Senior Printing System Engineer, PWG Chair

v2.23.0 | Report a Bug | By Email