A new mechanism for TLS that will catch incompatibility issues.
An engineer at Google has designed a new mechanism to spot potential compatibility issues in the TLS protocol.
David Benjamin, who works on Chrome’s TLS capabilities, designed and named this mechanism GREASE, or Generate Random Extensions And Sustain Extensibility.
The goal of this mechanism is to catch interoperability issues early. Servers and software that properly implement TLS should be able to receive these GREASE values from a client without failing or terminating a connection.
One of the main features of TLS protocol is extensibility, which is how easy it is to add new features without worrying about updating existing clients. TLS was designed to be very extensible, and for the most part it has been. This is what has allowed TLS to remain the protocol securing internet connections for nearly two decades, adapting to changing algorithms and security needs.
However, given the number of implementations of TLS being used by servers around the world, and the amount of time it can take for new values to appear, TLS’ extensibility is not as strong as previously believed. GREASE is trying to fix that.
GREASE is specifically looking to find servers that don’t deal well with unexpected values. For example, when establishing a connection, the client provides the server with a list of capabilities it supports – for everything from protocol version to cipher suites. If the server does not recognize one of the values the client provides, it should be able to ignore it and successfully start a connection with the best available options.
But a common server-side bug is for the connection to fail when it receives an unknown value. This is something that the TLS 1.3 designers are currently running into with a problem known as version intolerance where certain servers terminate connections if they see a TLS protocol version they don’t know.
As it’s designed, TLS should not have these issues. But many – if not most – implantations do not follow the standard 100%. Mistakes – either out of carelessness or genuine oversights – are bound to happen, especially with a protocol that has a 100 page specification.
The root of the issue is that while TLS was designed to be extensible, it can be a long long time until that extensibility is “exercised”, as Benjamin puts it. In the case of version intolerance, TLS 1.3 will be the first new TLS version in about 8 years. That means that software which incorrectly handles unknown version values has had nearly a decade to have these types of bugs that go unnoticed, while the software becomes popular, widely-used, deeply integrated, and disastrous for future improvements to the protocol.
GREASE will provide a formalized way to get wide-scale and real-world data on where clients and servers are not compatible. “Servers that do not tolerate unknown values will fail to interoperate with existing clients, revealing the mistake before it is widespread.” Remember, the goal of extensibility is to allow the TLS protocol to develop over time and add new functionality without breaking existing implementations.
Google will be “apply[ing] GREASE to TLS cipher suites, extensions, and ECDH curves, hopefully expanding to other fields in the future.” This will keep these extensions “well-oiled.”
The GREASE acronym was inspired by an essay written by Adam Langley, who is a fellow Google engineer. Langley says, “protocols should be extensible: the world keeps changing and no design is going to be perfect for all time.”