This is a PSA about a small tweak to an existing feature. The change is to include the TLS ALPN extension when initiating a new connection for wss-schemed WebSockets, offering just the default "http/1.1" protocol. Currently, unlike HTTPS connections, such connections do not offer ALPN at all. Changing this aligns with Firefox and Safari, hardens against cross-protocol attacks (see ALPACA), and makes wss eligible for the False Start optimization. It also simplifies work on the HTTPS DNS record.

Motivation

HTTP/1.1 is already default, so this change does not affect the actual negotiated protocol. However, sending ALPN hardens against cross-protocol attacks (e.g. the ALPACA attack), aligns with Firefox and Safari, and makes WebSocket TLS 1.2 connections eligible for the TLS False Start optimization, which we current gate on ALPN. Finally, the ongoing HTTPS/SVCB DNS record work relies on passing ALPN preferences further down the net stack.

Specification

Specification link


Final published standard: Recommendation, Living Standard, Candidate Recommendation, or similar final form

Status in Chromium

Internals>Network>SSL


Enabled by default

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

  • Shipped/Shipping
  • Shipped/Shipping
  • No signals

Owner

Last updated on 2022-04-28