Re: Fwd: New Version Notification for draft-nottingham-http2-encryption-02.txt

------ Original Message ------
From: "William Chan (陈智昌)" <>
>Oh, I misunderstood you and perhaps miscommunicated. Indeed, the
>Chromium project currently has no plans to respect a server
>advertisement that we could do unauthenticated TLS for http:// URIs. I
>believe the draft does not require a client to respect any such server
>advertisement, but merely proposes a mechanism for such a server
>advertisement. The site author has the choice to advertise
>unauthenticated TLS for http:// URIs, and the client has a choice of
>whether or not to respect it, and intermediaries have the choice of
>stripping out such advertisements if they so choose. I'm stating the
>current Chromium project stance is that we do not believe such a
>mechanism should even be standardized, and were it to be standardized,
>we would not respect the server advertisement in our browser.
>And for clarity, we do have a similar mechanism today in
>Alternate-Protocol. That is intended to allow site authors to
>advertise support for SPDY (or QUIC) for deployment of protocols with
>better networking performance, *not* for security or privacy. There is
>a fine line there, and it's definitely debatable whether or not we
>should even support Alternate-Protocol given possible confusion here.
>It's something we have in the back of our minds, but we have not felt
>a need to revisit it at this time. But we may need to do so.
>I hope this clarifies matters. Let me know if there is any confusion
>here. I understand that we seem to disagree both on:
>* Whether or not increased HTTPS adoption is a good thing
I prefer to take 1 step back from there.

Whether or not we should be trying to make a judgement call on whether 
increased (or existing) level of HTTPS adoption is a good thing or not.

I would propose we should not even be trying to rule on this point.

>* Whether or not opportunistic encryption should even be offered (by
>any party, be it server/intermediary, or client).
I may be misunderstanding what is proposed.

in mail, opportunistic encryption closest corollary is STARTTLS.  In 
this case, it's not unauthenticated.  Also, the protocol isn't first 
layered over TLS.  the TLS is decided on later in the protocol, and if 
chosen, it is added under the application layer over the transport 

Is the current proposal that http2 always be over TLS but that there be 
an optional opt-out for crypto? Or opt-out of the authentication part of 
the crypto?

This leaves the TLS framing (and the problematic handshake) in each 
connection, which I have a problem with purely from a performance POV.

I'm in New Zealand so maybe I'm more sensitive to latency.  It's at 
least 200ms RT to the US from here.



>>  Adrien
>>>>   Adrien
>>>>   ------ Original Message ------
>>>>   From: "William Chan (陈智昌)" <>
>>>>   To: "Patrick McManus" <>
>>>>   Cc: "Martin Thomson" <>; "Mark Nottingham"
>>>>   <>; "HTTP Working Group" <>
>>>>   Sent: 13/12/2013 09:05:07
>>>>   Subject: Re: Fwd: New Version Notification for
>>>>   draft-nottingham-http2-encryption-02.txt
>>>>>   Me speaking as a Chromium project representative here:
>>>>>   We talked about this internally amongst Chromium project members, 
>>>>>   the *current consensus* opinion is that Chromium does not support
>>>>>   opportunistic encryption, nor would we implement it were such a
>>>>>   mechanism standardized (I'm assuming no one's proposing mandatory 
>>>>>   implement...the draft does not appear to do so). We want to push
>>>>>   people toward adopting HTTPS, not the middle ground of 
>>>>>   encryption. You can see some opinions from other project members
>>>>>   (,
>>>>>   OK, back to me talking as me, just another IETF individual:
>>>>>   I respect the goals behind opportunistic encryption, but it is
>>>>>   *unclear* to me if it is actually a net positive. There are 
>>>>>   a lot of things to like about it which I think have already been
>>>>>   covered. But I'm concerned that the risk of hurting HTTPS 
>>>>>adoption is
>>>>>   real and significant. I don't have hard data to back this up. But 
>>>>>   looking at the numerous complaints about browser warnings for
>>>>>   self-signed certs
>>>>>   (,
>>>>>   etc) is indicative that site developers perceive a lot of benefit 
>>>>>   encryption without authentication. I am not convinced site 
>>>>>   sufficiently understand the importance of authentication, and I 
>>>>>   that offering a middle ground of unauthenticated encryption will 
>>>>>   them an out to not go full HTTPS.
>>>>>   I think that the main problem we'd like to address is that HTTPS
>>>>>   adoption sucks. I join others in saying we should focus our 
>>>>>   on solving that problem
>>>>>   (, 
>>>>>   than working on proposals where the net result is unclear to be
>>>>>   beneficial or detrimental.
>>>>>   Cheers.
>>>>>   On Thu, Dec 12, 2013 at 10:03 AM, Patrick McManus
>>>>>  <>
>>>>>   wrote:
>>>>>>    I am slowing coming to a similar position on http2-encryption 
>>>>>>   Martin
>>>>>>    expresses in the quote trail.
>>>>>>    Doing the relaxed semantic is imo probably a net-positive. I'm 
>>>>>>   entirely
>>>>>>    convinced but I'm not sure anything other than time and 
>>>>>>    experience could make it more clear. (anyone interested in a 
>>>>>>  please
>>>>>>   let
>>>>>>    me know.)
>>>>>>    I also don't see a need to use a different *PN token for it 
>>>>>>than you
>>>>>>   would
>>>>>>    for normal https. Any advertisement for relaxed (e.g. via 
>>>>>>alt-svc) is
>>>>>>   scoped
>>>>>>    to the origin (and therefore scheme) and http/2 itself carries 
>>>>>>  scheme
>>>>>>   on
>>>>>>    every transaction so the server isn't gaining any new 
>>>>>>information by
>>>>>>   putting
>>>>>>    a relaxed token in the handshake. Brian, over in TLS WG, and 
>>>>>>  have
>>>>>>    made different arguments why using 2 identifiers could be a net 
>>>>>>  to
>>>>>>    security and I don't see anyone arguing its necessity.
>>>>>>    On Thu, Dec 12, 2013 at 12:31 AM, Martin Thomson
>>>>>>   <>
>>>>>>    wrote:
>>>>>>>    Overall, I think that the relaxed semantic proposed here is a
>>>>>>>  pragmatic
>>>>>>>    approach to getting more goodness into our protocol. Goodness 
>>>>>>>  in
>>>>>>>   this
>>>>>>>    instance, better resilience against passive attacks, as well 
>>>>>>>  opening
>>>>>>>    avenues to some forms of active attack mitigation.
>>>>>>>    Re C.4:
>>>>>>>    I haven't seen strong justification for the "h2r" identifier. 
>>>>>>>On the
>>>>>>>    contrary, I see potential for harm in it. I'm worried that 
>>>>>>>this will
>>>>>>>   create
>>>>>>>    more confusion about the security properties of the protocol.
>>>>>>>    The idea that "h2r" might be used as some form of signal is
>>>>>>>  basically
>>>>>>>    devoid of value unless you believe that http: URIs will 
>>>>>>>somehow need
>>>>>>>  to
>>>>>>>   be
>>>>>>>    retrieved with the same level of confidentiality and 
>>>>>>>  as
>>>>>>>    https: ones. I just don't see a server that cares about this 
>>>>>>>   the "s"
>>>>>>>    off.
>>>>>>>    I believe it to be sufficient for the client to just use TLS. 
>>>>>>>    decisions about authentication are largely up to the client. 
>>>>>>>  server
>>>>>>>    would have to assume that http: URIs aren't going through 
>>>>>>>   checks,
>>>>>>>    though that doesn't mean that checking is completely 
>>>>>>>precluded. I
>>>>>>>  can
>>>>>>>    imagine not checking in the classic CA chaining sense, but 
>>>>>>>   CT-like
>>>>>>>    mechanisms could be useful in reducing the incidences of some 
>>>>>>>  of
>>>>>>>    active attacks. Especially if we are able to provide 
>>>>>>>   incentive
>>>>>>>    for proxies to come out from cover of darkness (actually, that 
>>>>>>>  be a
>>>>>>>    necessary precondition for some really strong improvements).
>>>>>>>    Creating disincentives around the use of "better" modes is - 
>>>>>>>  from
>>>>>>>    just being perverse - ultimately going to be self-defeating. 
>>>>>>>As long
>>>>>>>  as
>>>>>>>   the
>>>>>>>    downgrade path includes HTTP/1.1 in the clear, an active 
>>>>>>>attack is
>>>>>>>   going to
>>>>>>>    be trivial to mount without some other facilities in place.
>>>>>>>    I think that a "relaxed" mode is a good incremental 
>>>>>>>  Maybe
>>>>>>>   it
>>>>>>>    will be a leg up on those facilities.
>>>>>>>    On Dec 10, 2013 8:21 PM, "Mark Nottingham" <> 
>>>>>>>>    FYI.
>>>>>>>>    Begin forwarded message:
>>>>>>>>    > From:
>>>>>>>>    > Subject: New Version Notification for
>>>>>>>>    > draft-nottingham-http2-encryption-02.txt
>>>>>>>>    > Date: 11 December 2013 3:18:55 pm AEDT
>>>>>>>>    > To: Mark Nottingham <>
>>>>>>>>    >
>>>>>>>>    >
>>>>>>>>    > A new version of I-D, 
>>>>>>>>    > has been successfully submitted by Mark Nottingham and 
>>>>>>>>posted to
>>>>>>>>  the
>>>>>>>>    > IETF repository.
>>>>>>>>    >
>>>>>>>>    > Filename: draft-nottingham-http2-encryption
>>>>>>>>    > Revision: 02
>>>>>>>>    > Title: Opportunistic Encryption for HTTP URIs
>>>>>>>>    > Creation date: 2013-12-11
>>>>>>>>    > Group: Individual Submission
>>>>>>>>    > Number of pages: 10
>>>>>>>>    > URL:
>>>>>>>>    >
>>>>>>>>    > Status:
>>>>>>>>    > 
>>>>>>>>    > Htmlized:
>>>>>>>>    > 
>>>>>>>>    > Diff:
>>>>>>>>    >
>>>>>>>>    >
>>>>>>>>    > Abstract:
>>>>>>>>    > This document proposes two changes to HTTP/2.0; first, it
>>>>>>>>  suggests
>>>>>>>>    > using ALPN Protocol Identifies to identify the specific 
>>>>>>>>stack of
>>>>>>>>    > protocols in use, including TLS, and second, it proposes a 
>>>>>>>>way to
>>>>>>>>    > opportunistically encrypt HTTP/2.0 using TLS for HTTP URIs.
>>>>>>>>    >
>>>>>>>>    >
>>>>>>>>    >
>>>>>>>>    >
>>>>>>>>    > Please note that it may take a couple of minutes from the 
>>>>>>>>time of
>>>>>>>>    > submission
>>>>>>>>    > until the htmlized version and diff are available at
>>>>>>>>    >
>>>>>>>>    > The IETF Secretariat
>>>>>>>>    >
>>>>>>>>    --
>>>>>>>>    Mark Nottingham

Received on Thursday, 12 December 2013 23:25:12 UTC