LGTM3 On Wed, Sep 27, 2023 at 7:56 AM Daniel Bratell <bratel...@gmail.com> wrote:
> LGTM2 > > /Daniel > On 2023-09-27 12:02, Yoav Weiss wrote: > > LGTM1 > > On Wed, Sep 27, 2023 at 11:50 AM Philipp Hancke < > philipp.han...@googlemail.com> wrote: > >> Am Mi., 27. Sept. 2023 um 08:07 Uhr schrieb Yoav Weiss < >> yoavwe...@chromium.org>: >> >>> >>> >>> On Tue, Sep 26, 2023 at 9:47 PM 'David Adrian' via blink-dev < >>> blink-dev@chromium.org> wrote: >>> >>>> Great follow up to >>>> https://groups.google.com/a/chromium.org/g/blink-dev/c/bYZK81WxYBo/m/lKLrZ_P2BwAJ. >>>> Big fan! >>>> >>> >> heh, great original I2S ;-) >> >> >>> On Fri, Sep 22, 2023 at 12:00 AM 'Philipp Hancke' via blink-dev < >>>> blink-dev@chromium.org> wrote: >>>> >>>>> Contact emails >>>>> phan...@microsoft.com, h...@chromium.org >>>>> >>>>> Specification >>>>> https://datatracker.ietf.org/doc/rfc8446 >>>>> >>>> >>> This is an interesting simple case where I agree that an explainer for >>> this would be superfluous (as the Summary sums up what you're planning to >>> ship). >>> >>> >>>> >>>>> >>>>> Summary >>>>> >>>>> Randomize the order of DTLS ClientHello extensions, to reduce >>>>> potential ecosystem brittleness. >>>>> >>>>> >>>>> This is a WebRTC specific follow-up to >>>>> https://groups.google.com/a/chromium.org/g/blink-dev/c/bYZK81WxYBo/m/lKLrZ_P2BwAJ >>>>> which >>>>> launched successfully a while back. >>>>> >>>>> >>>>> WebRTC uses DTLS (datagram TLS over UDP) multiplexed with STUN and RTP >>>>> and also uses a SRTP specific extension (use_srtp defined in RFC 5764) to >>>>> negotiate encryption keys. >>>>> >>>>> Middleboxes might expect the use_srtp flag in a certain position which >>>>> changes with this feature. >>>>> >>>>> >>>>> Blink component >>>>> Blink>WebRTC >>>>> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3EWebRTC> >>>>> >>>>> TAG review >>>>> None >>>>> >>>>> TAG review status >>>>> Not applicable >>>>> >>>>> Risks >>>>> >>>>> >>>>> Interoperability and Compatibility >>>>> >>>>> It is possible that WebRTC's ClientHello extension ordering is already >>>>> ossified. This change may cause compatibility issues with middleboxes, >>>>> SBCs >>>>> or other network monitoring software. We will do a slow rollout and >>>>> monitor >>>>> breakage. >>>>> >>>> >>> Presumably, this will be behind a base feature to support the slow >>> rollout? >>> >> >> It is guarded with WebRTC's internal FieldTrial which is overridden with >> a base::FieldTrial in magic build ways. >> >> Also, I assume the TLS side of things went smoothly. Any reason to >>> believe DTLS would be significantly worse? >>> >> >> It did (see here >> <https://bugs.chromium.org/p/webrtc/issues/detail?id=15467#c2>). Our >> very own dreaded middleboxes (SBC or "Session Border Controller"; >> callcenters use them) tend to be conservative in terms of deployment (see >> e.g. this comment >> <https://bugs.chromium.org/p/webrtc/issues/detail?id=10261#c23>) >> but most of them use a single vendor for browser interop testing who can >> help with reaching out (in addition to discuss-webrtc and the release >> notes) which should minimize the potential for breakage. >> >> >>> >>>>> >>>>> *Gecko*: Positive ( >>>>> https://github.com/mozilla/standards-positions/issues/709) Applied to >>>>> TLS and DTLS equally >>>>> >>>>> *WebKit*: No signal ( >>>>> https://github.com/WebKit/standards-positions/issues/92) >>>>> >>>>> *Web developers*: No signals >>>>> >>>>> *Other signals*: >>>>> >>>>> Ergonomics >>>>> >>>>> n/a, not developer facing >>>>> >>>>> >>>>> Activation >>>>> >>>>> n/a, not developer facing >>>>> >>>>> >>>>> Security >>>>> >>>>> Using a fixed extension order can encourage server implementers to >>>>> fingerprint Chrome and then assume specific implementation behavior. This >>>>> can limit ecosystem agility when Chrome implements future modifications to >>>>> DTLS, if the server implementations are not prepared for Chrome to change >>>>> its ClientHello. Chrome will randomly order extensions, subject to the >>>>> pre_shared_key constraint in the RFC. This will reduce the risk of server >>>>> and middleboxes fixating on details of our current ClientHello. This >>>>> should >>>>> make the DTLS ecosystem more robust to changes. >>>>> >>>>> >>>>> WebView application risks >>>>> >>>>> *Does this intent deprecate or change behavior of existing APIs, such >>>>> that it has potentially high risk for Android WebView-based applications?* >>>>> >>>>> None >>>>> >>>>> >>>>> Debuggability >>>>> >>>>> n/a, inner function of TLS stack. Possible to inspect using tools like >>>>> Wireshark >>>>> >>>>> >>>>> Will this feature be supported on all six Blink platforms (Windows, >>>>> Mac, Linux, Chrome OS, Android, and Android WebView)? >>>>> Yes >>>>> >>>>> Is this feature fully tested by web-platform-tests >>>>> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >>>>> ? >>>>> No >>>>> >>>>> Flag name on chrome://flags >>>>> None >>>>> >>>>> Finch feature name >>>>> WebRTC-PermuteTlsClientHello >>>>> >>>>> Requires code in //chrome? >>>>> False >>>>> >>>>> Tracking bug >>>>> https://bugs.chromium.org/p/webrtc/issues/detail?id=15467 >>>>> >>>>> Estimated milestones >>>>> Shipping on desktop 120 >>>>> >>>>> >>>>> Anticipated spec changes >>>>> >>>>> *Open questions about a feature may be a source of future web compat >>>>> or interop issues. Please list open issues (e.g. links to known github >>>>> issues in the project for the feature specification) whose resolution may >>>>> introduce web compat/interop risk (e.g., changing to naming or structure >>>>> of >>>>> the API in a non-backward-compatible way).* >>>>> None >>>>> >>>>> Link to entry on the Chrome Platform Status >>>>> https://chromestatus.com/feature/5191245718880256 >>>>> >>>>> This intent message was generated by Chrome Platform Status >>>>> <https://chromestatus.com/>. >>>>> -- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "blink-dev" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to blink-dev+unsubscr...@chromium.org. >>>>> To view this discussion on the web visit >>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CADxkKi%2BWEyR_PRHcAfNNR0w1SECOZ%2B3PqVN3x%3DGcYjK10tE6sg%40mail.gmail.com >>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CADxkKi%2BWEyR_PRHcAfNNR0w1SECOZ%2B3PqVN3x%3DGcYjK10tE6sg%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>> . >>>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "blink-dev" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to blink-dev+unsubscr...@chromium.org. >>>> To view this discussion on the web visit >>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGkh42Kvqkxyfk7QB9%2BAZcWoWhW9AnzoefP%2BDoxabushNh3VmA%40mail.gmail.com >>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGkh42Kvqkxyfk7QB9%2BAZcWoWhW9AnzoefP%2BDoxabushNh3VmA%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>> . >>>> >>> -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to blink-dev+unsubscr...@chromium.org. > To view this discussion on the web visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfXC8ZBmahmnf%2BBrVdz_cvzrckVkrH9_Of1m-Q5u8d1M4w%40mail.gmail.com > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfXC8ZBmahmnf%2BBrVdz_cvzrckVkrH9_Of1m-Q5u8d1M4w%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to blink-dev+unsubscr...@chromium.org. > To view this discussion on the web visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/75b98b41-d737-403c-82ae-9ebc6646cee7%40gmail.com > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/75b98b41-d737-403c-82ae-9ebc6646cee7%40gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOMQ%2Bw-W2rOmMnkfvNnD3emVFZXmfc1RZ5rgqwY4zQbs1TPYTA%40mail.gmail.com.