ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [TLS] Last Call: <draft-ietf-tls-applayerprotoneg-03.txt> (Transport Layer Security (TLS) Application Layer Protocol Negotiation Extension) to Proposed Standard

2013-12-15 17:26:39
from [Watson Ladd] [Permanent Link] 
On Fri, Dec 13, 2013 at 4:28 PM, Stephan Friedl (sfriedl)
<sfriedl(_at_)cisco(_dot_)com> wrote:

I fear that there is a perception that ALPN leaks information like a sieve 
and NPN doesn't leak at all.  Both extensions leak information in plain text 
- they just leak different information.

NPN leaks the entire list of protocols available on a host/port combination 
and encrypts the single protocol selected by the client.  When watching a 
single TLS negotiation using NPN, a passive attacker knows all the protocols 
exposed by a server and therefore has a big head start on identifying the 
single protocol chosen by the client as well as assessing a server for 
potential vulnerabilities to exploit - effectively an instant port scan.  In 
contrast ALPN has the client advertising the protocols it supports in 
plaintext and has the server's selection of a protocol returned in plaintext. 
 In ALPN the entire list of protocols supported by a given host on a given 
port is never revealed during a single TLS negotiation.


Clients are much more interesting to watch than servers. So long as
ALPN and NPN are negotiating among a small number of protocol versions
this doesn't matter. But if we include various options in HTTP this
makes fingerprinting easier if they are exposed in ALPN. Scanning for
what a server supports looks like a bunch of diverse clients
connecting: it isn't going to get noticed anyway. But knowing that a
client supports the latest Firefox+a particular extension because it
has support for a protocol over 443 is very useful. I don't think the
extra few bits matter, but we should remind everyone that they should
be very few bits. (In particular the inevitable hack advertising IRC
support via ALPN is a terrible idea).



Also, I agree with Yoav's take on ALPN as simple networking and not a 
'cryptographic protocol'.  All ALPN does is provides the protocol to be used 
for a connection when the port number is no longer definitive.  ALPN is a 
plain, vanilla extension - whereas NPN does introduce some non-standard 
twists to TLS extension practice in that the negotiation is not encapsulated 
in the hello messages and that it introduces a padded handshake message 
between the ChangeCipherSpec and Finished messages.



ALPN needs to be negotiated and tied into the session. Otherwise you
can have fun playing wrong protocol with right authority games.

Sincerely,
Watson Ladd
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [TLS] Last Call: <draft-ietf-tls-applayerprotoneg-03.txt> (Transport Layer Security (TLS) Application Layer Protocol Negotiation Extension) to Proposed Standard, Alyssa Rowan
Next by Date:  Re: [TLS] Last Call: <draft-ietf-tls-applayerprotoneg-03.txt> (Transport Layer Security (TLS) Application Layer Protocol Negotiation Extension) to Proposed Standard, Mohamad Badra
Previous by Thread:  RE: [TLS] Last Call: <draft-ietf-tls-applayerprotoneg-03.txt> (Transport Layer Security (TLS) Application Layer Protocol Negotiation Extension) to Proposed Standard, Stephan Friedl (sfriedl)
Next by Thread:  Re: [TLS] Last Call: <draft-ietf-tls-applayerprotoneg-03.txt> (Transport Layer Security (TLS) Application Layer Protocol Negotiation Extension) to Proposed Standard, Alyssa Rowan
Indexes:  [Date] [Thread] [Top] [All Lists]