W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: TLS at transport level vs stream multiplexing and aggregation (http "routers")

From: James M Snell <jasnell@gmail.com>
Date: Sun, 17 Nov 2013 17:48:50 -0800
Message-ID: <CABP7RbdSv63JQYavZ80+_MB9MvYNUFUVGwpYYHwTU-BKhQEfJg@mail.gmail.com>
To: Mark Nottingham <mnot@mnot.net>
Cc: Adrien de Croy <adrien@qbik.com>, ietf-http-wg@w3.org
Just a memory refresher..  The draft needs to be updated but I'm waiting
until stuff is more stable

http://tools.ietf.org/html/draft-snell-httpbis-keynego-00

- james
On Nov 17, 2013 5:45 PM, "Mark Nottingham" <mnot@mnot.net> wrote:

> Hi Adrien,
>
> I'm personally *very* interested in this as well; I've been thinking about
> it for a while, and talking to people about it too. There are a number of
> significant benefits possible with such an approach (which is very similar
> to SHTTP of old).
>
> Currently, I'm planning to prototype something once I have a Python
> implementation going (insert running joke here).
>
> Conceptually, it's pretty simple in HTTP/2; you'd just need a handful of
> new frame types to negotiate per-origin session keys, a flag to indicate
> that encryption is in use, and the first few bytes of the payload to
> indicate which session key is in use (since there can be more than one).
>
> The really interesting stuff comes in when you can selectively sign frames
> instead of encrypting them; that would allow a HTTP response to look like
> this:
>
> HEADERS [signed]
> HEADERS [encrypted]
> DATA [encrypted]
> DATA [encrypted]
> ...
>
> so that you can selectively expose headers (e.g., Cache-Control, Host) to
> intermediaries to allow them to do interesting things.
>
> Talking to security and other folks about this, the main concerns seem to
> be:
>   a) Security evaluation of a Whole New Protocol is hard. There are lots
> of new potential attacks
>   b) Taking what was a generic security function (TLS) and making it
> effectively application-specific -- with corresponding loss of value to the
> rest of the ecosystem
>   c) Greater information leakage because an attacker can see message
> boundaries
>   d) Exposing finer gradations of encryption / signature (as above) can
> lead to very subtle security properties; i.e., it's really easy to mess
> things up here.
>
> As Mike said, implementation experience will be critical before we can
> take something this big seriously; sucking TLS into HTTP2 is not a trivial
> task.
>
> Cheers,
>
>
> On 18/11/2013, at 7:59 AM, Adrien de Croy <adrien@qbik.com> wrote:
>
> > Hi all
> >
> > there has been talk in the past about http message routers that forward
> messages relating to multiple concurrent streams over the same underlying
> protocol stream.
> >
> > I'm a big fan of this idea, but I think requiring http2 to be over TLS
> would effectively prohibit this.
> >
> > If the TLS is being used to establish credentials between client and
> server, and is connection-associated, then it holds the same set of badness
> that everyone holds against NTLM.
> >
> > This means that TLS is being applied at the wrong level.
> >
> > I think we should look into using TLS at the stream level, rather than
> transport.  This would allow a single TCP connection to contain multiple
> streams where each stream can be between different final endpoints, with
> different TLS layers.  And include unencrypted streams as well.
> >
> > Where it is desired to minimise TLS setup overhead where all streams on
> a connection will use the same TLS context, then allow for that in the
> protocol as well.
> >
> > That would then allow point to point links to use TLS to secure messages
> that may be themselves secured with TLS at the stream level or not.
> >
> > Adrien
>
> --
> Mark Nottingham   http://www.mnot.net/
>
>
>
>
>
Received on Monday, 18 November 2013 01:49:18 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:19 UTC