This is a PSA about a small tweak to an existing feature. The change is to include the TLS ALPN extension when initiating a new connection for wss-schemed WebSockets, offering just the default "http/1.1" protocol. Currently, unlike HTTPS connections, such connections do not offer ALPN at all. Changing this aligns with Firefox and Safari, hardens against cross-protocol attacks (see ALPACA), and makes wss eligible for the False Start optimization. It also simplifies work on the HTTPS DNS record.
Motivation
HTTP/1.1 is already default, so this change does not affect the actual negotiated protocol. However, sending ALPN hardens against cross-protocol attacks (e.g. the ALPACA attack), aligns with Firefox and Safari, and makes WebSocket TLS 1.2 connections eligible for the TLS False Start optimization, which we current gate on ALPN. Finally, the ongoing HTTPS/SVCB DNS record work relies on passing ALPN preferences further down the net stack.
Specification
Final published standard: Recommendation, Living Standard, Candidate Recommendation, or similar final form
Status in Chromium
Enabled by default
Consensus & Standardization
- Shipped/Shipping
- Shipped/Shipping
- No signals
Owner
Last updated on 2022-04-28