HTML5Labs is where Microsoft prototypes early and unstable specifications from web standards bodies such as W3C. Sharing these prototypes helps us have informed discussions with developer communities, and enables us to provide better feedback on draft specifications based on this implementation experience. To find out more about HTML5Labs, read the blog by Dean Hachamovitch, Corporate Vice President for Internet Explorer, and the blog by Jean Paoli, President, Microsoft Open Technologies, Inc.
Earlier in February we had published on HTML5Labs an updated version of our HTTP/2.0 prototype that introduced support for ALPN. Shortly thereafter, on Thursday 2/21, Stephan Friedl and Andrei Popov proposed an update to the ALPN spec draft that refines the protocol in a couple of important aspects:
- "Application Layer Protocol Negotiation Extension" now defines ProtocolNameList and ProtocolName as variable-length arrays, as typically done in TLS. This increases payload size by 2 bytes, but allows the use of the normal TLS parsers.
- "Protocol Selection" defines a new fatal alert no_application_protocol, to be used with ALPN extension only, instead of using a generic handshake_failure alert. This is done to help distinguish application protocol negotiation issues from other handshake failures.
Today, we are posting a further update that accounts for those improvements. The new prototype also leverages OpenSSL on Apache as a backend. We are making the corresponding patch available in the download tab together with the new client installer.
-------Original Release: 2/15/2013-------
As part of the HTTP/2.0 effort, the industry is collaborating to reinforce Internet communication security in the IETF Transport Layer Security Working Group (TLS WG). Two security experts from Cisco and Microsoft have submitted ALPN-01 (Application Layer Protocol Negotiation), a safer and simpler application protocol negotiation approach, backed up by a new HTML5 Labs HTTP/2.0 prototype by Microsoft Open Technologies, Inc. incorporating an initial implementation of ALPN-01.
The new ALPN-01 (Application Layer Protocol Negotiation) Internet draft proposes a protocol negotiation in accordance with established TLS architecture with the following benefits:
- ALPN places ownership of protocol selection on the server, not the client. This allows the server to select an appropriate certificate based on the application protocol, which is in line with existing TLS handshake extensions.
- ALPN performs protocol negotiation by default in the clear: in general is no need for encrypted communication during the handshake. This permits servers to differentiate routing, QOS and firewalling by protocol.
- For use cases that can justify the tradeoff with additional latency, ALPN still retains support for confidential protocol negotiation through standard TLS renegotiation.