> On 5 nov. 2015, at 20:52, Georg Lukas <ge...@op-co.de> wrote: > > My gut feeling is that really restrictive firewalls will either > completely block the ALPN extension (breaking SPDY as well), or > implement ALPN parsers and whitelist HTTP only. > > This will probably only be solved by TLS1.3, which is still three major > protocol meltdowns away (TLS1.0, 1.1 and 1.2 ;-))
While SNI/ALPN encryption for the ClientHello was discussed for TLS 1.3, I think it was ultimately dropped as it added too much extra complexity (but maybe there's someone here who follows the TLS WG more closely). Encryption of the server's extensions is still supported, though, so the selected ALPN protocol can be hidden. Regards, Thijs
signature.asc
Description: Message signed with OpenPGP using GPGMail
