[TLS] A new consensus call on ALPN vs NPN (was ALPN concerns)
Brian Smith <brian@briansmith.org> Mon, 09 December 2013 15:22 UTC
Return-Path: <brian@briansmith.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 13FFA1AE338 for <tls@ietfa.amsl.com>; Mon, 9 Dec 2013 07:22:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.979
X-Spam-Level:
X-Spam-Status: No, score=-1.979 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jlIl25dxm5eI for <tls@ietfa.amsl.com>; Mon, 9 Dec 2013 07:22:53 -0800 (PST)
Received: from mail-qe0-f41.google.com (mail-qe0-f41.google.com [209.85.128.41]) by ietfa.amsl.com (Postfix) with ESMTP id 8B5CC1AE2B3 for <tls@ietf.org>; Mon, 9 Dec 2013 07:22:53 -0800 (PST)
Received: by mail-qe0-f41.google.com with SMTP id gh4so2868452qeb.14 for <tls@ietf.org>; Mon, 09 Dec 2013 07:22:48 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:date:message-id:subject:from:to:cc :content-type; bh=mXBoEx2Qry6wvCRjWjb1sOxuhzt8H+pqvoEZHyLfsHY=; b=J6zaUP/5JaZhw7qnLLvNHNxkZ44hqoejCZch1U728YQjUi0O4pbfD4gsaQJcxbA1mA 2fkSS9nq4Rd7fQ1L5jjiw5fZVHDRbXsDWDmfrm5rMSFpGSk0ZQRQrOI1ag6KxJKHlg0I 99yiJhusXDg/Fnhawc7NRGI8wTFRVZivgFL7qqSh3ff7wnYKF6o9UiFqI3qQMgiiuf4N tnGOY2m0WcIyypr9UiuHJkXJ2W06WPyFdRJsO+xyvpfC+pHtdpExSivG1gArueW4HBby PAcexgMZAI+4C/L3CosThIKJX2Wr2VKDn1oq9N3XfNH8jUrEzCqofTv767aQL+93YE+s m06A==
X-Gm-Message-State: ALoCoQlDISqzET0zcv9EWtvKr7nhece/2KYsj7xz0O3q6tJhRkOyR9scFkMAbZ6u8S/CNXeeMWuY
MIME-Version: 1.0
X-Received: by 10.49.84.195 with SMTP id b3mr34345265qez.32.1386602568507; Mon, 09 Dec 2013 07:22:48 -0800 (PST)
Received: by 10.224.40.11 with HTTP; Mon, 9 Dec 2013 07:22:48 -0800 (PST)
X-Originating-IP: [12.216.141.3]
Date: Mon, 09 Dec 2013 07:22:48 -0800
Message-ID: <CAFewVt7SS9ud8J=6VtR-Zv-9bhaTHEnjT8XD+ULaRSVUkYftaQ@mail.gmail.com>
From: Brian Smith <brian@briansmith.org>
To: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Subject: [TLS] A new consensus call on ALPN vs NPN (was ALPN concerns)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Dec 2013 15:22:56 -0000
Hi all, My name is Brian Smith and I am the lead on Mozilla Corporation's work on TLS, PKI, and some related things (though *not* DTLS or other WebRTC networking stuff, which EKR does a fine job of leading). I am primarily responsible for working to secure Firefox, but most of my work also applies to Thunderbird and other software based on our "Gecko" engine. Note also that Mozilla has implemented APIs to allow certain kinds of HTML5 applications to make TCP connections in a way that enables them to implement any TCP protocol (SMTP, IMAP, etc.), not just HTTP, SPDY, and WebSockets. Therefore, our interest in protocol negotiation goes much further than negotiating just HTTP/1 vs. HTTP/2, though that is by far the most important use case for us. For the reasons I note below, I think we should re-evaluate whether we still have consensus on moving forward with recommending ALPN as the protocol negotiation mechanism to be used in TLS and specifically in HTTP/2. I would like the working group to re-consider the option of recommending the more secure and more private NPN mechanism instead, at least until TLS 1.3 can offer an even better alternative mechanism. In IETF86, there was some kind of vote in favor of ALPN over NPN. I could not attend that IETF for personal reasons, so I don't know the nature of the vote or how binding it is and whatnot. Also, I know ALPN has gone through WGLC already. I regret that I chose to voice my opposition to ALPN only privately to EKR before IETF86 and during WGLC. That was definitely a mistake on my part, and I'm truly sorry for making it. Since IETF86, and since WGLC, there have been new developments. I tried to go into detail on many of them in the "ALPN concerns" thread, but here is a summary: * During the summer, the Edward Snowden stuff happened, making us (more) aware of widespread, worldwide, spying on the users of our software. If nothing else, I hope we have learned from Snowden's work that we need to be particularly careful to maximize privacy from network attackers in the protocols and software we create. * Stephen Farrell published the first draft of "Pervasive Monitoring is an Attack" [0], which states (in part; please read the whole thiing): The technical plenary of IETF 88 [IETF88Plenary] discussed pervasive monitoring and participants had strong agreement that this was an attack and one that should be mitigated where possible via the design of protocols that make pervasive monitoring significantly more expensive or infeasible. ... For the purposes of this BCP "pervasive monitoring" means very widespread privacy-invasive gathering of protocol artefacts including application content, protocol meta-data (such as headers) or keys used to secure protocols. ... This BCP simply records the consensus to design protocols so as to mitigate the attack, where possible. Note that the protocol/options metadata that would be negotiated in ALPN or NPN or whatever is protocol metadata. I think there is no disputing that NPN (or a new design that works more like NPN) helps make attacks more expensive, even though it may not make any attack impossible, and that switching from NPN to ALPN would only help facilitate attacks. * Joseph Salowey wrote the first draft of a proposed new charter for the TLS Working Group [1]. That draft says, in part: o Develop a mode that encrypts as much of the handshake as is possible to reduce the amount of observable data to both passive and active attackers. Thus, standardizing unencrypted ALPN now seems likely to be in direct contradiction to our future charter. * During IETF88, EKR published the TLS 1.3 flows draft [2]. This draft is extremely helpful for seeing that TLS 1.3 is likely to be quite complex, even before we try to encrypt the ALPN and/or SNI extensions in the ClientHello. Also, it does not show a viable means of encrypting the ALPN extension in a backward-compatible (with unencrypted ALPN) way. (A mechanism for encrypting ALPN would have to do so without adding any round trips to be viable.) Thus, the idea that we can standardize unencrypted ALPN now, and then somehow fix it in TLS 1.3, seems extremely unrealistic. * During IETF87, Microsoft suggested that we need to extend protocol negotiation to support the negotiation of options. My understanding is that we should expect the HTTP WG to specify some such options in HTTP. AFAICT, the need for ALPN or NPN to support an open-ended set of negotiated information in addition to the protocol was not considered when considering the security of ALPN. * Mark Nottingham wrote his Opportunistic Encryption for HTTP URIs draft [3], which is a specific example of option negotiation described in the previous point. Mark also wrote [4] that he is concerned that the HTTP 2.0 work may not be able to go forward without a viable means of doing opportunistic encryption. * I described [5] (I recommend reading the whole thread, despite how many words there are in it) several technical objections to switching to ALPN from NPN on privacy and security groups, and noted that NPN is still much more widely deployed and generally meets our goals better. * I also described [6] how choosing ALPN over NPN would weaken the security properties of Mark's Opportunistic Encryption for HTTP draft. It is hard to see how it would be reasonable to do opportunistic encryption using Mark's proposed mechanism on top of ALPN, considering the significant weakness ALPN adds to it, that NPN doesn't. * In [6], I also showed that it isn't necessarily true that traffic analysis can yield information equivalent to ALPN, which was a key argument in favor of ALPN. Note that this is just the simplest possible example. I think we can be much more successful against traffic analysis in general, by adding features to TLS that make traffic analysis difficult, such as [7], and I actually don't understand why we gives any credence to the "traffic analysis makes the argument moot" argument; that seems very defeatist to me. Perfect traffic analysis prevention may be impractically expensive, but it is far from clear that imperfect traffic analysis is worthless. Tor is a pretty good but imperfect mechanism for preventing traffic analysis, and it seems to work surprisingly well. * I described [8] a potential solution for moving the application-level protocol negotiation out of the TLS protocol in "TLS 1.3" without hurting performance, at least in common cases. I don't have any political position in the argument of ALPN vs. NPN vs. whatever. My concerns are purely technical and purely based on my desire to maximize privacy and security for the users of my software and even my competitors' software. It is clear to me that ALPN is strictly worse than NPN in terms of protecting privacy and security of users. (FWIW, it would literally be easier for me to add ALPN support to Firefox than it would be for me to have typed up all these messages to the working group mailing list.) We can argue about whether ALPN is "good enough" (and I've argued extensively it isn't) but I fail to see why we should settle for something worse at all, especially when the choice of NPN better suits the motto of the IETF, "rough consensus and running code," as demonstrated by the large number of *deployed-in-production* NPN implementations. (If you used a web browser today, you probably used NPN). Therefore, I strongly encourage people to choose NPN instead of ALPN, which is my strong preference for Firefox, Thunderbird, and other Mozilla products. And, I would be very happy to do all the editing work on the NPN draft to get it into shape for being a proposed standard. Cheers, Brian [0] http://tools.ietf.org/html/draft-farrell-perpass-attack-00 [1] http://www.ietf.org/mail-archive/web/tls/current/msg10759.html [2] http://tools.ietf.org/html/draft-rescorla-tls13-new-flows-00 [3] http://tools.ietf.org/html/draft-nottingham-http2-encryption-01 [4] http://lists.w3.org/Archives/Public/ietf-http-wg/2013OctDec/1453.html [5] http://www.ietf.org/mail-archive/web/tls/current/msg10405.html [6] http://www.ietf.org/mail-archive/web/tls/current/msg10890.html [7] http://tools.ietf.org/html/draft-pironti-tls-length-hiding-00 [8] http://www.ietf.org/mail-archive/web/tls/current/msg10888.html [
- [TLS] A new consensus call on ALPN vs NPN (was AL… Brian Smith
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Hannes Tschofenig
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Tom Ritter
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Stephen Farrell
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Eric Rescorla
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Daniel Kahn Gillmor
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Stephen Farrell
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Brian Smith
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Yoav Nir
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Bill Frantz
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Daniel Kahn Gillmor
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Yoav Nir
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Brian Smith
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Watson Ladd
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Brian Smith
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Brian Smith
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Wan-Teh Chang
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Paul Hoffman
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Watson Ladd
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Eric Rescorla
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Ralf Skyper Kaiser
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Yoav Nir
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Nikos Mavrogiannopoulos
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Alyssa Rowan
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Stephan Friedl (sfriedl)
- Re: [TLS] A new consensus call on ALPN vs NPN (wa… Bill Frantz