Contact [email protected], [email protected] Specificationhttps://datatracker.ietf.org/doc/rfc8446
Design docs https://docs.google.com/document/d/1NIeWj_xFE3p7Q2IxVjnztO4_Aqih3VAskHlLYqDFjvk/edit?resourcekey=0-FCsdas1l23L830egKOun4A https://github.com/dadrian/clienthello-randomization/blob/main/EXPLAINER.md Summary Randomize the order of TLS ClientHello extensions, to reduce potential ecosystem brittleness. Blink componentInternals>Network>SSL <https://bugs.chromium.org/p/chromium/issues/list?q=component:Internals%3ENetwork%3ESSL> TAG review TAG review statusNot applicable Risks Interoperability and Compatibility It is possible that Chrome’s ClientHello extension ordering is already ossified. This change may cause compatibility issues with middleboxes or other network monitoring software. We will do a slow rollout and monitor breakage. *Gecko*: Positive ( https://groups.google.com/a/chromium.org/g/blink-dev/c/zdmNs2rTyVI/m/MAiQwQkwCAAJ ) https://bugzilla.mozilla.org/show_bug.cgi?id=1789436 *WebKit*: No signal *Web developers*: No signals *Other signals*: Ergonomics n/a, not developer facing Activation n/a, not developer facing Security Using a fixed extension order can encourage server implementers to fingerprint Chrome and then assume specific implementation behavior. This can limit ecosystem agility when Chrome implements future modifications to TLS, if the server implementations are not prepared for Chrome to change its ClientHello. Chrome will randomly order extensions, subject to the pre_shared_key constraint in the RFC. This will reduce the risk of server and middleboxes fixating on details of our current ClientHello. This should make the TLS ecosystem more robust to changes. WebView application risks Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications? Debuggability n/a, inner function of TLS stack Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?Yes Is this feature fully tested by web-platform-tests <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> ?No Flag name Requires code in //chrome?False Tracking bughttps://bugs.chromium.org/p/chromium/issues/detail?id=1351809 Launch bughttps://bugs.chromium.org/p/chromium/issues/detail?id=1351809 Estimated milestones DevTrial on desktop 106 DevTrial on Android 106 Anticipated spec changes Open questions about a feature may be a source of future web compat or interop issues. Please list open issues (e.g. links to known github issues in the project for the feature specification) whose resolution may introduce web compat/interop risk (e.g., changing to naming or structure of the API in a non-backward-compatible way). Link to entry on the Chrome Platform Status https://chromestatus.com/feature/5124606246518784 This intent message was generated by Chrome Platform Status <https://chromestatus.com/>. -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGkh42Kq9uKJp5AenLhvDJUQiSycUWndPAaPornCmb9XhhZwNg%40mail.gmail.com.
