Re: [TLS] ALPN concerns
Brian Smith <brian@briansmith.org> Tue, 19 November 2013 05:59 UTC
Return-Path: <brian@briansmith.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4397D1A1F72 for <tls@ietfa.amsl.com>; Mon, 18 Nov 2013 21:59:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.979
X-Spam-Level:
X-Spam-Status: No, score=-1.979 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TnZVrDm45-z6 for <tls@ietfa.amsl.com>; Mon, 18 Nov 2013 21:59:02 -0800 (PST)
Received: from mail-qc0-f176.google.com (mail-qc0-f176.google.com [209.85.216.176]) by ietfa.amsl.com (Postfix) with ESMTP id A5B6F1A1F61 for <tls@ietf.org>; Mon, 18 Nov 2013 21:59:02 -0800 (PST)
Received: by mail-qc0-f176.google.com with SMTP id s19so4473712qcw.21 for <tls@ietf.org>; Mon, 18 Nov 2013 21:58:56 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=ZWOa+qPQPSejuxoaK+hzk9aoGD3gDgrFN8qsdfIIxzY=; b=LfaRKzDIzcajGyrSZObVij4UAEIbaUeHXmwDVQGdttGNLh2VsOBFr2pJIYOVb6N1mS VJfA8vZEq4/unpwwKSPVEOAqMprmRqF3ebOSkjfr4nZoxxWXEvdv/aYrxF01bl/1zd5o +NbZvRmMptqzjy0yQZc8dnk3G62IvimP7AtU1co1gjT2zWYu5C4/xV8miwqZJJKBYrWg JUeWUEBiKdIH1Wl+nRiThrmVsPsMOFI+2VAN7PO9A166MxUxOakUrsudKoVPOyO8KC7m YlAqYaharN3V4ftjxt6Bs0iwiH8t2Wm+w8p1xhr9PZJbVZ1qPLVMj8AJGVvAkym8K0n4 f6Tg==
X-Gm-Message-State: ALoCoQkNPmlKdY/zg7pGn/JlDdsanujgepTT5ROKmB17DLbpXHZGg3nq23zJYPQytS9KEKXj6uI3
MIME-Version: 1.0
X-Received: by 10.224.115.146 with SMTP id i18mr40352865qaq.23.1384840736529; Mon, 18 Nov 2013 21:58:56 -0800 (PST)
Received: by 10.224.38.5 with HTTP; Mon, 18 Nov 2013 21:58:56 -0800 (PST)
X-Originating-IP: [63.245.219.53]
In-Reply-To: <E774C81546D66E429BF56B1474C7EBBA012CE328CB@SEAEMBX01.olympus.F5Net.com>
References: <9A043F3CF02CD34C8E74AC1594475C736540E268@uxcn10-tdc06.UoA.auckland.ac.nz> <E774C81546D66E429BF56B1474C7EBBA012CE328CB@SEAEMBX01.olympus.F5Net.com>
Date: Mon, 18 Nov 2013 21:58:56 -0800
Message-ID: <CAFewVt5K07p4UTzpkaXMxscbUuBo-jNB=VGF_cscGY3ZhPss-Q@mail.gmail.com>
From: Brian Smith <brian@briansmith.org>
To: Xiaoyong Wu <X.Wu@f5.com>
Content-Type: text/plain; charset="UTF-8"
Cc: "<tls@ietf.org>" <tls@ietf.org>, Peter Gutmann <p.gutmann@auckland.ac.nz>
Subject: Re: [TLS] ALPN concerns
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Nov 2013 05:59:05 -0000
On Wed, Nov 6, 2013 at 10:00 AM, Xiaoyong Wu <X.Wu@f5.com> wrote: > As I am explaining this in detail, I would say that another work around on this would be making a client hello that exceeds 512 in length. Xiaoyong, thank you very much for sharing that with us! That is incredibly useful. In the thread "Final nail in the coffin for cleartext SNI/ALPN in TLS 1.3," Yoav Nir <ynir@checkpoint.com> wrote: > I think it would actually be worse than that. Browsers don't want > reconnect fallback. So whatever TLS 1.3 looks like, the ClientHello > that browsers send will be such that it can be accepted by at least > TLS 1.0 servers (and there are plenty of those around). And as > others have mentioned, SNI is needed in many cases. Without it, > https://www.gmail.com will give you a certificate error. > > So you might have a clientHello that leads to super-duper TLS 1.3, > but to avoid the need for fallback, you include the SNI (and > presumably ALPN) in the ClientHello. This is exactly right for SNI. Even if we define a new replacement for SNI, browsers will still be sending SNI in the clear for the next 10 years. We should still try to work toward a long-term solution to that problem, but it isn't something that can be solved in the short term. During the TLS WG session at IETF88, somebody commented that TLS 1.3 is supposed to solve the problem of encrypting information in the ClientHello, so the plaintext vs. cleartext issue shouldn't be a concern for ALPN. But, for the same reason we can't have any near-term solution for encrypting SNI in the ClientHello, we won't have any near-term solution for encrypting ALPN in the ClientHello that would meet browsers needs. Again, I want to emphasize that Firefox ALREADY solves this problem, even without TLS 1.3, by implementing NPN and avoiding ALPN. If other browsers just turned off ALPN then the problem of how to hide the protocol negotiation information would be solved. As far as I've been led to believe, ALPN exists primarily to allow MitM to more easily inspect what protocol the application is speaking and possibly block the application, with as low of a cost to the MitM as possible--i.e. exactly the opposite goal of everything we discussed at IETF88 in perpass and in other discussions. I still have a lot of trouble understanding how we can agree in the IETF as a whole that we should be trying to make attacks more difficult, even if we can't make them impossible, but here in the TLS WG, we are literally going out of our way to leak information in the clear unnecessarily. I think that in many cases, traffic analysis that relies on timing information will be able to tell with a high degree of accuracy which protocol has been selected for use on the connection. However, traffic analysis cannot tell us what protocols were offered but *not* selected. Further, traffic analysis based on timing is more expensive and less reliable than having the information given on a silver platter. In some cases, traffic analysis vs. explicit plaintext leakage might be the difference between reasonable doubt or not. In other cases, the difficulty of discerning two protocols--whether you are sending email (SMTP) or pinging the server to retrieve email (IMAP) vs loading the login page (HTTP)--may increase the storage and processing cost by an order of magnitude or more, if we can get it to work. Personally, I'm disappointed to hear the arguments that it is not worthwhile to consider trying to solve that problem in the context of the design of ALPN, because we worry it is unsolvable. I feel like we haven't even started trying to solve it yet, so I don't understand why we're giving up so easily. Further, I don't see a need to rush to a conclusion on ALPN for HTTP/2 given this chart: https://github.com/http2/http2-spec/wiki/Implementations At the time I write this, 11/13 support NPN. 6/13 support ALPN, and there are plenty of implementations that can interoperate. Literally, a higher number of products would have to do extra work to reduce the privacy of their protocol and settings negotiation than the number of products that would need to flip a single bit (or less) to have a higher level of privacy protection for the protocol and settings negotiation. (Note that it isn't even clear what settings negotiation HTTP/2 may add to the protocol negotiation step, so we cannot even debate how sensitive the information in that settings negotiation is when trying to determine if leaking application data in the ALPN extension is acceptable.) Also note that the Mozilla line in the chart is a little misleading. Patrick added ALPN support to a private copy of Firefox for the purpose of the interop testing, which is I support. However, Firefox doesn't actually support ALPN in our shipping product, only in Patrick's special build. And, I would very much like to keep it that way. FWIW, I am working on an experiment for adding NPN support to Thunderbird (an email client based on Gecko, like Firefox), so that Thunderbird can speak SMTP, IMAP, POP, LDAP, and HTTP to a single server on a single port, https://example.org:443/. One purpose of this experiment is to demonstrate how we can get through networks that block, or charge extra money for, email protocols while still allowing HTTPS, without needing separate hostnames for each server. A second purpose is to evaluate whether there are effective ways of making side channel analysis for distinguishing the user's activity--sending email vs retrieving email, for example--or even what product the user is using--Thunderbird vs. Firefox--more difficult than we might first suspect. I would appreciate it if the working group could give me some more time to complete this experiment and/or help me with it, before completely giving up on trying to protect the protocol negotiation information in the handshake. Also, if we can build a reliable 1-RTT handshake in TLS 1.3, then there may be a design that allows us to remove protocol negotiation from TLS completely, putting it back in the application layer. I will be sharing a write-up of how this would work shortly. IMO, it is much better to have the long-term solution for protocol and settings negotiation be in the application layer, if it is reasonable to do so. I am not one of those people that yell "layer violation" at everything, but if we can avoid later violations in the long term, then we should do so. All that said, I am very grateful to the F5 team for sharing the information to work around the interop issue that I originally complained about in my ALPN Concerns email during IETF88. Xiaoyong set a great example for us all and I hope that that kind of openness in sharing information continues here on this list. Cheers, Brian -- Mozilla Networking/Crypto/Security (Necko/NSS/PSM)
- Re: [TLS] ALPN concerns Nico Williams
- [TLS] ALPN concerns Brian Smith
- Re: [TLS] ALPN concerns Yoav Nir
- Re: [TLS] ALPN concerns Martin Thomson
- Re: [TLS] ALPN concerns Yoav Nir
- Re: [TLS] ALPN concerns Geoffrey Keating
- Re: [TLS] ALPN concerns Yoav Nir
- Re: [TLS] ALPN concerns Peter Gutmann
- Re: [TLS] ALPN concerns John Mattsson
- Re: [TLS] ALPN concerns Yoav Nir
- Re: [TLS] ALPN concerns Xiaoyong Wu
- Re: [TLS] ALPN concerns Adam Langley
- Re: [TLS] ALPN concerns Yoav Nir
- Re: [TLS] ALPN concerns Dr Stephen Henson
- Re: [TLS] ALPN concerns Yutaka OIWA
- Re: [TLS] ALPN concerns Andrei Popov
- Re: [TLS] ALPN concerns Dr Stephen Henson
- Re: [TLS] ALPN concerns Adam Langley
- Re: [TLS] ALPN concerns Mark Nottingham
- Re: [TLS] ALPN concerns Wan-Teh Chang
- Re: [TLS] ALPN concerns Wan-Teh Chang
- Re: [TLS] ALPN concerns Xiaoyong Wu
- Re: [TLS] ALPN concerns Brian Smith
- Re: [TLS] ALPN concerns Andrei Popov
- Re: [TLS] ALPN concerns Brian Smith
- Re: [TLS] ALPN concerns Nikos Mavrogiannopoulos
- Re: [TLS] ALPN concerns Andrei Popov
- Re: [TLS] ALPN concerns Pascal Urien