IETF Logo Mail Archive

Re: [Uta] ALPN recommendations in draft-ietf-uta-rfc7525bis-01

Yaron Sheffer <yaronf.ietf@gmail.com> Sun, 01 August 2021 14:02 UTC

Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 562423A3D41 for <uta@ietfa.amsl.com>; Sun, 1 Aug 2021 07:02:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YtV7Nh71QaRG for <uta@ietfa.amsl.com>; Sun, 1 Aug 2021 07:01:59 -0700 (PDT)
Received: from mail-il1-x135.google.com (mail-il1-x135.google.com [IPv6:2607:f8b0:4864:20::135]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 861413A3D40 for <uta@ietf.org>; Sun, 1 Aug 2021 07:01:59 -0700 (PDT)
Received: by mail-il1-x135.google.com with SMTP id q18so14149724ile.9 for <uta@ietf.org>; Sun, 01 Aug 2021 07:01:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=user-agent:date:subject:from:to:cc:message-id:thread-topic :references:in-reply-to:mime-version:content-transfer-encoding; bh=RfxAfcaMKGjO4ivf7UsaaAOb1DllKtE+4pp/sNsJi7w=; b=iYZ4bDSrJEf0iic3cHc4fQYMrG/nknQjm6IBpIbxwK+1oIFY1UEO51mD5iG9jjBpGE mq3RaG1L+Ivqa81h5yJRBYBh5jGZW1OOkdOjMIhGbi1v5qzAlyz3FCGC5jFTGKEKqeUv 02trRwW7+lFZXBJjpO8lGN2QSZ7uV2dour5gWt8q1GgNJP4YbC3n6CrTgIaJifNiiX9f QTp0bxoc10jScXpK+vrlRSxeSTSZx5Nm7qkHlFKi2ifbMYzvVHsqRZ1oET2bnxp4FEfG Kh4Tiy0ugxssZ8mFclwN+Mt0xHETTSoUrF4MbrV4NYtWOJdImZr2AaLw8B0n4NX/HF0b ZYGQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:user-agent:date:subject:from:to:cc:message-id :thread-topic:references:in-reply-to:mime-version :content-transfer-encoding; bh=RfxAfcaMKGjO4ivf7UsaaAOb1DllKtE+4pp/sNsJi7w=; b=iU6TtzDhsOWHVEjG15G5iFPC5lkcKNtxsFxtkYnVGnDEs77cjWpFGJ1jd6YCZJk/M+ 2ot4gIBc4lmYUazx1mWLRJpFXST7oJqo6AVEZJVX43Ld6Irt/Xu0LYhvGVf60HiOG5Ex tfHWNOnJwv9H/nzuilIgN7tfNU9cXgwEIWcGVvIQSJ3PLoLSOR1A8u5jq5KL4U98JPwZ CEWlQaDKVGu+UV7s0jjRSFPNCXAUOwTeSq1UiIXRMR5uCXpJfZlFhWEhvACQp9pCrbsI R8ZVLjGKsRkXSQhGJJRfqi0CxhlXqBCzMVNrRn+WA5bLiSGNNV2vYDkMrzbF8sPy9hbX S6vQ==
X-Gm-Message-State: AOAM533c5uDX3VGzb4oRWdFQNYokMsyPI/Y2s7/1sHTZ7CbwdETXAD+w ZWYTI4Op7xAQLl5mFCQ4GB2JXdZsgmWR3Q==
X-Google-Smtp-Source: ABdhPJwYwQ3sWxKtXdGsA400f/bgs18jJ3+ZO9x9miST/5/50L/5tgczvWNYKxuQMfYnI/1fXEwBLA==
X-Received: by 2002:a92:c0c2:: with SMTP id t2mr5347106ilf.260.1627826517927; Sun, 01 Aug 2021 07:01:57 -0700 (PDT)
Received: from [172.22.110.22] (pub-corp-42-8.intuit.com. [91.102.42.8]) by smtp.gmail.com with ESMTPSA id b2sm281195ils.40.2021.08.01.07.01.54 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sun, 01 Aug 2021 07:01:57 -0700 (PDT)
User-Agent: Microsoft-MacOutlook/16.51.21071101
Date: Sun, 01 Aug 2021 17:01:52 +0300
From: Yaron Sheffer <yaronf.ietf@gmail.com>
To: John Levine <johnl@taugh.com>, uta@ietf.org
CC: mt@lowentropy.net
Message-ID: <48B82EAB-D059-4C81-B14D-8D1D10EBB78B@gmail.com>
Thread-Topic: [Uta] ALPN recommendations in draft-ietf-uta-rfc7525bis-01
References: <b7abf0eb-0ba9-4ab9-90df-910a3391a830@beta.fastmail.com> <20210801005846.190B82568BF1@ary.qy>
In-Reply-To: <20210801005846.190B82568BF1@ary.qy>
Mime-version: 1.0
Content-type: text/plain; charset="UTF-8"
Content-transfer-encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/NojaWYYzmM7KOvzTgd0cDgnKADY>
Subject: Re: [Uta] ALPN recommendations in draft-ietf-uta-rfc7525bis-01
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 01 Aug 2021 14:02:06 -0000

On 8/1/21, 03:59, "Uta on behalf of John Levine" <uta-bounces@ietf.org on behalf of johnl@taugh.com> wrote:

    It appears that Martin Thomson  <mt@lowentropy.net> said:
    >There is a piece missing. Yaron mentioned Alpaca. For that what we need to say is what Alexey might fear: application protocols
    >MUST define ALPN labels and use them.

    Well, you know, ALPACA is the predictable result of three decades of web browsers accepting any crud from
    broken web servers and trying to guess what it was supposed to mean.  It'd be more effective to say that browsers
    MUST send ALPNs and MUST NOT accept responses that don't send an expected ALPN back.  That's seems
    more likely to happen as people implement http/2 than that mail and IMAP and FTP servers that don't care about ALPNs will
    add them to defend against attacks that don't affect them.

[...]

    R's,
    John

This is one way to frame the problem. Another is that TLS is (1) typically only authenticated on the server side and (2) not cryptographically bound to the IP or port, the combination resulting in potential cross-protocol attacks. We as a community (inclusive of all protocols) are trying to mitigate this issue with whatever tools we have.

Unfortunately I don't think your HTTP-only proposal can work, because in order to "expect" ALPN coming back from the server, a client would need to keep a long-term cache of ALPN-friendly servers. This is much more logic than just checking a received ALPN, either in HTTP or SMTP - which, as far as I can tell, is mostly done inside the TLS library.

Thanks,
	Yaron

    _______________________________________________
    Uta mailing list
    Uta@ietf.org
    https://www.ietf.org/mailman/listinfo/uta

v2.23.0 | Report a Bug | By Email