On Fri, Dec 13, 2013 at 4:28 PM, Stephan Friedl (sfriedl) <sfriedl@xxxxxxxxx> wrote: > I fear that there is a perception that ALPN leaks information like a sieve and NPN doesn't leak at all. Both extensions leak information in plain text - they just leak different information. > > NPN leaks the entire list of protocols available on a host/port combination and encrypts the single protocol selected by the client. When watching a single TLS negotiation using NPN, a passive attacker knows all the protocols exposed by a server and therefore has a big head start on identifying the single protocol chosen by the client as well as assessing a server for potential vulnerabilities to exploit - effectively an instant port scan. In contrast ALPN has the client advertising the protocols it supports in plaintext and has the server's selection of a protocol returned in plaintext. In ALPN the entire list of protocols supported by a given host on a given port is never revealed during a single TLS negotiation. Clients are much more interesting to watch than servers. So long as ALPN and NPN are negotiating among a small number of protocol versions this doesn't matter. But if we include various options in HTTP this makes fingerprinting easier if they are exposed in ALPN. Scanning for what a server supports looks like a bunch of diverse clients connecting: it isn't going to get noticed anyway. But knowing that a client supports the latest Firefox+a particular extension because it has support for a protocol over 443 is very useful. I don't think the extra few bits matter, but we should remind everyone that they should be very few bits. (In particular the inevitable hack advertising IRC support via ALPN is a terrible idea). > > Also, I agree with Yoav's take on ALPN as simple networking and not a 'cryptographic protocol'. All ALPN does is provides the protocol to be used for a connection when the port number is no longer definitive. ALPN is a plain, vanilla extension - whereas NPN does introduce some non-standard twists to TLS extension practice in that the negotiation is not encapsulated in the hello messages and that it introduces a padded handshake message between the ChangeCipherSpec and Finished messages. > ALPN needs to be negotiated and tied into the session. Otherwise you can have fun playing wrong protocol with right authority games. Sincerely, Watson Ladd