Am Mi., 27. Sept. 2023 um 08:07 Uhr schrieb Yoav Weiss < yoavwe...@chromium.org>:
> > > On Tue, Sep 26, 2023 at 9:47 PM 'David Adrian' via blink-dev < > blink-dev@chromium.org> wrote: > >> Great follow up to >> https://groups.google.com/a/chromium.org/g/blink-dev/c/bYZK81WxYBo/m/lKLrZ_P2BwAJ. >> Big fan! >> > heh, great original I2S ;-) > On Fri, Sep 22, 2023 at 12:00 AM 'Philipp Hancke' via blink-dev < >> blink-dev@chromium.org> wrote: >> >>> Contact emails >>> phan...@microsoft.com, h...@chromium.org >>> >>> Specification >>> https://datatracker.ietf.org/doc/rfc8446 >>> >> > This is an interesting simple case where I agree that an explainer for > this would be superfluous (as the Summary sums up what you're planning to > ship). > > >> >>> >>> Summary >>> >>> Randomize the order of DTLS ClientHello extensions, to reduce potential >>> ecosystem brittleness. >>> >>> >>> This is a WebRTC specific follow-up to >>> https://groups.google.com/a/chromium.org/g/blink-dev/c/bYZK81WxYBo/m/lKLrZ_P2BwAJ >>> which >>> launched successfully a while back. >>> >>> >>> WebRTC uses DTLS (datagram TLS over UDP) multiplexed with STUN and RTP >>> and also uses a SRTP specific extension (use_srtp defined in RFC 5764) to >>> negotiate encryption keys. >>> >>> Middleboxes might expect the use_srtp flag in a certain position which >>> changes with this feature. >>> >>> >>> Blink component >>> Blink>WebRTC >>> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3EWebRTC> >>> >>> TAG review >>> None >>> >>> TAG review status >>> Not applicable >>> >>> Risks >>> >>> >>> Interoperability and Compatibility >>> >>> It is possible that WebRTC's ClientHello extension ordering is already >>> ossified. This change may cause compatibility issues with middleboxes, SBCs >>> or other network monitoring software. We will do a slow rollout and monitor >>> breakage. >>> >> > Presumably, this will be behind a base feature to support the slow rollout? > It is guarded with WebRTC's internal FieldTrial which is overridden with a base::FieldTrial in magic build ways. Also, I assume the TLS side of things went smoothly. Any reason to believe > DTLS would be significantly worse? > It did (see here <https://bugs.chromium.org/p/webrtc/issues/detail?id=15467#c2>). Our very own dreaded middleboxes (SBC or "Session Border Controller"; callcenters use them) tend to be conservative in terms of deployment (see e.g. this comment <https://bugs.chromium.org/p/webrtc/issues/detail?id=10261#c23>) but most of them use a single vendor for browser interop testing who can help with reaching out (in addition to discuss-webrtc and the release notes) which should minimize the potential for breakage. > >>> >>> *Gecko*: Positive ( >>> https://github.com/mozilla/standards-positions/issues/709) Applied to >>> TLS and DTLS equally >>> >>> *WebKit*: No signal ( >>> https://github.com/WebKit/standards-positions/issues/92) >>> >>> *Web developers*: No signals >>> >>> *Other signals*: >>> >>> Ergonomics >>> >>> n/a, not developer facing >>> >>> >>> Activation >>> >>> n/a, not developer facing >>> >>> >>> Security >>> >>> Using a fixed extension order can encourage server implementers to >>> fingerprint Chrome and then assume specific implementation behavior. This >>> can limit ecosystem agility when Chrome implements future modifications to >>> DTLS, if the server implementations are not prepared for Chrome to change >>> its ClientHello. Chrome will randomly order extensions, subject to the >>> pre_shared_key constraint in the RFC. This will reduce the risk of server >>> and middleboxes fixating on details of our current ClientHello. This should >>> make the DTLS ecosystem more robust to changes. >>> >>> >>> WebView application risks >>> >>> *Does this intent deprecate or change behavior of existing APIs, such >>> that it has potentially high risk for Android WebView-based applications?* >>> >>> None >>> >>> >>> Debuggability >>> >>> n/a, inner function of TLS stack. Possible to inspect using tools like >>> Wireshark >>> >>> >>> Will this feature be supported on all six Blink platforms (Windows, Mac, >>> Linux, Chrome OS, Android, and Android WebView)? >>> Yes >>> >>> Is this feature fully tested by web-platform-tests >>> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >>> ? >>> No >>> >>> Flag name on chrome://flags >>> None >>> >>> Finch feature name >>> WebRTC-PermuteTlsClientHello >>> >>> Requires code in //chrome? >>> False >>> >>> Tracking bug >>> https://bugs.chromium.org/p/webrtc/issues/detail?id=15467 >>> >>> Estimated milestones >>> Shipping on desktop 120 >>> >>> >>> Anticipated spec changes >>> >>> *Open questions about a feature may be a source of future web compat or >>> interop issues. Please list open issues (e.g. links to known github issues >>> in the project for the feature specification) whose resolution may >>> introduce web compat/interop risk (e.g., changing to naming or structure of >>> the API in a non-backward-compatible way).* >>> None >>> >>> Link to entry on the Chrome Platform Status >>> https://chromestatus.com/feature/5191245718880256 >>> >>> This intent message was generated by Chrome Platform Status >>> <https://chromestatus.com/>. >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "blink-dev" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to blink-dev+unsubscr...@chromium.org. >>> To view this discussion on the web visit >>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CADxkKi%2BWEyR_PRHcAfNNR0w1SECOZ%2B3PqVN3x%3DGcYjK10tE6sg%40mail.gmail.com >>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CADxkKi%2BWEyR_PRHcAfNNR0w1SECOZ%2B3PqVN3x%3DGcYjK10tE6sg%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> >> -- >> You received this message because you are subscribed to the Google Groups >> "blink-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to blink-dev+unsubscr...@chromium.org. >> To view this discussion on the web visit >> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGkh42Kvqkxyfk7QB9%2BAZcWoWhW9AnzoefP%2BDoxabushNh3VmA%40mail.gmail.com >> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGkh42Kvqkxyfk7QB9%2BAZcWoWhW9AnzoefP%2BDoxabushNh3VmA%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CADxkKi%2BMCDCx8ny_51Z1yaZb1%3D3pbygN%2BVh1EcXsBE7SJgy%2BtA%40mail.gmail.com.