Hi folks, In Prague I mentioned that we were seeing evidence of increased failures with TLS 1.3 which we believed were due to middleboxes. In the meantime, several of us have done experiments on this, and I wanted to provide an update.
The high-order bit is that *negotiating* TLS 1.3 seems to cause increased failures with a variety of middleboxes (it’s generally safe to offer TLS 1.3 to servers which don’t support it). The measured incremental error rates vary quite a bit, ranging from minimal (Facebook) to ~1.5% (Firefox) and ~3.4% (Chrome). Each of us is using a slightly different methodology (organic versus forced traffic) and different populations (mobile, desktop, enterprise, etc), but it does seem like there is a nontrivial failure rate. At this point, we have two options: - Fall back to TLS 1.2 (as we have unfortunately done for previous releases) - Try to make small adaptations to TLS 1.3 to make it work better with middleboxes. The Chrome team has been working on angle #2 and has been having success with an approach of trying to make TLS 1.3 connections look more like TLS 1.2. Their current experiments get them down to about 1% incremental failures and they are currently measuring some changes they hope will shave that down more. These changes are a bit annoying but basically superficial; they do not affect the cryptography. Separately, Firefox and Facebook have been experimenting with the new content type described in PR#1051 (Google’s and Facebook’s results conflict, so this is a bit of a mystery). We hope to have results from both sets of experiments by end of October, at which point we should be able to discuss the best way forward as a group. -Ekr
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
