After reading up on ALPN, another security note: From Section 3: | For clients, this provides a virtually no overhead way to bypass | restrictive firewalls that only allow HTTP over port 80 and HTTPS over | port 443, as xmpp-over-tls is indistinguishable from http-over-tls.
Except that the client sends its list of requested ALPN protocols in the clear, and the server responds with the chosen ALPN protocol in the ServerHello, which is cleartext as well. My gut feeling is that really restrictive firewalls will either completely block the ALPN extension (breaking SPDY as well), or implement ALPN parsers and whitelist HTTP only. This will probably only be solved by TLS1.3, which is still three major protocol meltdowns away (TLS1.0, 1.1 and 1.2 ;-)) Georg -- || http://op-co.de ++ GCS d--(++) s: a C+++ UL+++ !P L+++ !E W+++ N ++ || gpg: 0x962FD2DE || o? K- w---() O M V? PS+ PE-- Y++ PGP+ t+ 5 R+ || || Ge0rG: euIRCnet || X(+++) tv+ b+(++) DI+++ D- G e++++ h- r++ y? || ++ IRCnet OFTC OPN ||_________________________________________________||
signature.asc
Description: Digital signature
