<!doctype html><html lang="en">
 <head>
  <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  <meta content="width=device-width, initial-scale=1, shrink-to-fit=no" name="viewport">
  <title>P1860R0: C++ Networking Must Be Secure By Default</title>
<style data-fill-with="stylesheet">/******************************************************************************
 *                   Style sheet for the W3C specifications                   *
 *
 * Special classes handled by this style sheet include:
 *
 * Indices
 *   - .toc for the Table of Contents (<ol class="toc">)
 *     + <span class="secno"> for the section numbers
 *   - #toc for the Table of Contents (<nav id="toc">)
 *   - ul.index for Indices (<a href="#ref">term</a><span>, in §N.M</span>)
 *   - table.index for Index Tables (e.g. for properties or elements)
 *
 * Structural Markup
 *   - table.data for general data tables
 *     -> use 'scope' attribute, <colgroup>, <thead>, and <tbody> for best results !
 *     -> use <table class='complex data'> for extra-complex tables
 *     -> use <td class='long'> for paragraph-length cell content
 *     -> use <td class='pre'> when manual line breaks/indentation would help readability
 *   - dl.switch for switch statements
 *   - ol.algorithm for algorithms (helps to visualize nesting)
 *   - .figure and .caption (HTML4) and figure and figcaption (HTML5)
 *     -> .sidefigure for right-floated figures
 *   - ins/del
 *
 * Code
 *   - pre and code
 *
 * Special Sections
 *   - .note       for informative notes             (div, p, span, aside, details)
 *   - .example    for informative examples          (div, p, pre, span)
 *   - .issue      for issues                        (div, p, span)
 *   - .assertion  for assertions                    (div, p, span)
 *   - .advisement for loud normative statements     (div, p, strong)
 *   - .annoying-warning for spec obsoletion notices (div, aside, details)
 *
 * Definition Boxes
 *   - pre.def   for WebIDL definitions
 *   - table.def for tables that define other entities (e.g. CSS properties)
 *   - dl.def    for definition lists that define other entitles (e.g. HTML elements)
 *
 * Numbering
 *   - .secno for section numbers in .toc and headings (<span class='secno'>3.2</span>)
 *   - .marker for source-inserted example/figure/issue numbers (<span class='marker'>Issue 4</span>)
 *   - ::before styled for CSS-generated issue/example/figure numbers:
 *     -> Documents wishing to use this only need to add
 *        figcaption::before,
 *        .caption::before { content: "Figure "  counter(figure) " ";  }
 *        .example::before { content: "Example " counter(example) " "; }
 *        .issue::before   { content: "Issue "   counter(issue) " ";   }
 *
 * Header Stuff (ignore, just don't conflict with these classes)
 *   - .head for the header
 *   - .copyright for the copyright
 *
 * Miscellaneous
 *   - .overlarge for things that should be as wide as possible, even if
 *     that overflows the body text area. This can be used on an item or
 *     on its container, depending on the effect desired.
 *     Note that this styling basically doesn't help at all when printing,
 *     since A4 paper isn't much wider than the max-width here.
 *     It's better to design things to fit into a narrower measure if possible.
 *   - js-added ToC jump links (see fixup.js)
 *
 ******************************************************************************/

/******************************************************************************/
/*                                   Body                                     */
/******************************************************************************/

	body {
		counter-reset: example figure issue;

		/* Layout */
		max-width: 50em;               /* limit line length to 50em for readability   */
		margin: 0 auto;                /* center text within page                     */
		padding: 1.6em 1.5em 2em 50px; /* assume 16px font size for downlevel clients */
		padding: 1.6em 1.5em 2em calc(26px + 1.5em); /* leave space for status flag     */

		/* Typography */
		line-height: 1.5;
		font-family: sans-serif;
		widows: 2;
		orphans: 2;
		word-wrap: break-word;
		overflow-wrap: break-word;
		hyphens: auto;

		/* Colors */
		color: black;
		background: white top left fixed no-repeat;
		background-size: 25px auto;
	}


/******************************************************************************/
/*                         Front Matter & Navigation                          */
/******************************************************************************/

/** Header ********************************************************************/

	div.head { margin-bottom: 1em }
	div.head hr { border-style: solid; }

	div.head h1 {
		font-weight: bold;
		margin: 0 0 .1em;
		font-size: 220%;
	}

	div.head h2 { margin-bottom: 1.5em;}

/** W3C Logo ******************************************************************/

	.head .logo {
		float: right;
		margin: 0.4rem 0 0.2rem .4rem;
	}

	.head img[src*="logos/W3C"] {
		display: block;
		border: solid #1a5e9a;
		border-width: .65rem .7rem .6rem;
		border-radius: .4rem;
		background: #1a5e9a;
		color: white;
		font-weight: bold;
	}

	.head a:hover > img[src*="logos/W3C"],
	.head a:focus > img[src*="logos/W3C"] {
		opacity: .8;
	}

	.head a:active > img[src*="logos/W3C"] {
		background: #c00;
		border-color: #c00;
	}

	/* see also additional rules in Link Styling section */

/** Copyright *****************************************************************/

	p.copyright,
	p.copyright small { font-size: small }

/** Back to Top / ToC Toggle **************************************************/

	@media print {
		#toc-nav {
			display: none;
		}
	}
	@media not print {
		#toc-nav {
			position: fixed;
			z-index: 2;
			bottom: 0; left: 0;
			margin: 0;
			min-width: 1.33em;
			border-top-right-radius: 2rem;
			box-shadow: 0 0 2px;
			font-size: 1.5em;
			color: black;
		}
		#toc-nav > a {
			display: block;
			white-space: nowrap;

			height: 1.33em;
			padding: .1em 0.3em;
			margin: 0;

			background: white;
			box-shadow: 0 0 2px;
			border: none;
			border-top-right-radius: 1.33em;
			background: white;
		}
		#toc-nav > #toc-jump {
			padding-bottom: 2em;
			margin-bottom: -1.9em;
		}

		#toc-nav > a:hover,
		#toc-nav > a:focus {
			background: #f8f8f8;
		}
		#toc-nav > a:not(:hover):not(:focus) {
			color: #707070;
		}

		/* statusbar gets in the way on keyboard focus; remove once browsers fix */
		#toc-nav > a[href="#toc"]:not(:hover):focus:last-child {
			padding-bottom: 1.5rem;
		}

		#toc-nav:not(:hover) > a:not(:focus) > span + span {
			/* Ideally this uses :focus-within on #toc-nav */
			display: none;
		}
		#toc-nav > a > span + span {
			padding-right: 0.2em;
		}

		#toc-toggle-inline {
			vertical-align: 0.05em;
			font-size: 80%;
			color: gray;
			color: hsla(203,20%,40%,.7);
			border-style: none;
			background: transparent;
			position: relative;
		}
		#toc-toggle-inline:hover:not(:active),
		#toc-toggle-inline:focus:not(:active) {
			text-shadow: 1px 1px silver;
			top: -1px;
			left: -1px;
		}

		#toc-nav :active {
			color: #C00;
		}
	}

/** ToC Sidebar ***************************************************************/

	/* Floating sidebar */
	@media screen {
		body.toc-sidebar #toc {
			position: fixed;
			top: 0; bottom: 0;
			left: 0;
			width: 23.5em;
			max-width: 80%;
			max-width: calc(100% - 2em - 26px);
			overflow: auto;
			padding: 0 1em;
			padding-left: 42px;
			padding-left: calc(1em + 26px);
			background: inherit;
			background-color: #f7f8f9;
			z-index: 1;
			box-shadow: -.1em 0 .25em rgba(0,0,0,.1) inset;
		}
		body.toc-sidebar #toc h2 {
			margin-top: .8rem;
			font-variant: small-caps;
			font-variant: all-small-caps;
			text-transform: lowercase;
			font-weight: bold;
			color: gray;
			color: hsla(203,20%,40%,.7);
		}
		body.toc-sidebar #toc-jump:not(:focus) {
			width: 0;
			height: 0;
			padding: 0;
			position: absolute;
			overflow: hidden;
		}
	}
	/* Hide main scroller when only the ToC is visible anyway */
	@media screen and (max-width: 28em) {
		body.toc-sidebar {
			overflow: hidden;
		}
	}

	/* Sidebar with its own space */
	@media screen and (min-width: 78em) {
		body:not(.toc-inline) #toc {
			position: fixed;
			top: 0; bottom: 0;
			left: 0;
			width: 23.5em;
			overflow: auto;
			padding: 0 1em;
			padding-left: 42px;
			padding-left: calc(1em + 26px);
			background: inherit;
			background-color: #f7f8f9;
			z-index: 1;
			box-shadow: -.1em 0 .25em rgba(0,0,0,.1) inset;
		}
		body:not(.toc-inline) #toc h2 {
			margin-top: .8rem;
			font-variant: small-caps;
			font-variant: all-small-caps;
			text-transform: lowercase;
			font-weight: bold;
			color: gray;
			color: hsla(203,20%,40%,.7);
		}

		body:not(.toc-inline) {
			padding-left: 29em;
		}
		/* See also Overflow section at the bottom */

		body:not(.toc-inline) #toc-jump:not(:focus) {
			width: 0;
			height: 0;
			padding: 0;
			position: absolute;
			overflow: hidden;
		}
	}
	@media screen and (min-width: 90em) {
		body:not(.toc-inline) {
			margin: 0 4em;
		}
	}

/******************************************************************************/
/*                                Sectioning                                  */
/******************************************************************************/

/** Headings ******************************************************************/

	h1, h2, h3, h4, h5, h6, dt {
		page-break-after: avoid;
		page-break-inside: avoid;
		font: 100% sans-serif;   /* Reset all font styling to clear out UA styles */
		font-family: inherit;    /* Inherit the font family. */
		line-height: 1.2;        /* Keep wrapped headings compact */
		hyphens: manual;         /* Hyphenated headings look weird */
	}

	h2, h3, h4, h5, h6 {
		margin-top: 3rem;
	}

	h1, h2, h3 {
		color: #005A9C;
		background: transparent;
	}

	h1 { font-size: 170%; }
	h2 { font-size: 140%; }
	h3 { font-size: 120%; }
	h4 { font-weight: bold; }
	h5 { font-style: italic; }
	h6 { font-variant: small-caps; }
	dt { font-weight: bold; }

/** Subheadings ***************************************************************/

	h1 + h2,
	#subtitle {
		/* #subtitle is a subtitle in an H2 under the H1 */
		margin-top: 0;
	}
	h2 + h3,
	h3 + h4,
	h4 + h5,
	h5 + h6 {
		margin-top: 1.2em; /* = 1 x line-height */
	}

/** Section divider ***********************************************************/

	:not(.head) > hr {
		font-size: 1.5em;
		text-align: center;
		margin: 1em auto;
		height: auto;
		border: transparent solid 0;
		background: transparent;
	}
	:not(.head) > hr::before {
		content: "\2727\2003\2003\2727\2003\2003\2727";
	}

/******************************************************************************/
/*                            Paragraphs and Lists                            */
/******************************************************************************/

	p {
		margin: 1em 0;
	}

	dd > p:first-child,
	li > p:first-child {
		margin-top: 0;
	}

	ul, ol {
		margin-left: 0;
		padding-left: 2em;
	}

	li {
		margin: 0.25em 0 0.5em;
		padding: 0;
	}

	dl dd {
		margin: 0 0 .5em 2em;
	}

	.head dd + dd { /* compact for header */
		margin-top: -.5em;
	}

	/* Style for algorithms */
	ol.algorithm ol:not(.algorithm),
	.algorithm > ol ol:not(.algorithm) {
	 border-left: 0.5em solid #DEF;
	}

	/* Put nice boxes around each algorithm. */
	[data-algorithm]:not(.heading) {
	  padding: .5em;
	  border: thin solid #ddd; border-radius: .5em;
	  margin: .5em calc(-0.5em - 1px);
	}
	[data-algorithm]:not(.heading) > :first-child {
	  margin-top: 0;
	}
	[data-algorithm]:not(.heading) > :last-child {
	  margin-bottom: 0;
	}

	/* Style for switch/case <dl>s */
	dl.switch > dd > ol.only,
	dl.switch > dd > .only > ol {
	 margin-left: 0;
	}
	dl.switch > dd > ol.algorithm,
	dl.switch > dd > .algorithm > ol {
	 margin-left: -2em;
	}
	dl.switch {
	 padding-left: 2em;
	}
	dl.switch > dt {
	 text-indent: -1.5em;
	 margin-top: 1em;
	}
	dl.switch > dt + dt {
	 margin-top: 0;
	}
	dl.switch > dt::before {
	 content: '\21AA';
	 padding: 0 0.5em 0 0;
	 display: inline-block;
	 width: 1em;
	 text-align: right;
	 line-height: 0.5em;
	}

/** Terminology Markup ********************************************************/


/******************************************************************************/
/*                                 Inline Markup                              */
/******************************************************************************/

/** Terminology Markup ********************************************************/
	dfn   { /* Defining instance */
		font-weight: bolder;
	}
	a > i { /* Instance of term */
		font-style: normal;
	}
	dt dfn code, code.idl {
		font-size: medium;
	}
	dfn var {
		font-style: normal;
	}

/** Change Marking ************************************************************/

	del { color: red;  text-decoration: line-through; }
	ins { color: #080; text-decoration: underline;    }

/** Miscellaneous improvements to inline formatting ***************************/

	sup {
		vertical-align: super;
		font-size: 80%
	}

/******************************************************************************/
/*                                    Code                                    */
/******************************************************************************/

/** General monospace/pre rules ***********************************************/

	pre, code, samp {
		font-family: Menlo, Consolas, "DejaVu Sans Mono", Monaco, monospace;
		font-size: .9em;
		page-break-inside: avoid;
		hyphens: none;
		text-transform: none;
	}
	pre code,
	code code {
		font-size: 100%;
	}

	pre {
		margin-top: 1em;
		margin-bottom: 1em;
		overflow: auto;
	}

/** Inline Code fragments *****************************************************/

  /* Do something nice. */

/******************************************************************************/
/*                                    Links                                   */
/******************************************************************************/

/** General Hyperlinks ********************************************************/

	/* We hyperlink a lot, so make it less intrusive */
	a[href] {
		color: #034575;
		text-decoration: none;
		border-bottom: 1px solid #707070;
		/* Need a bit of extending for it to look okay */
		padding: 0 1px 0;
		margin: 0 -1px 0;
	}
	a:visited {
		border-bottom-color: #BBB;
	}

	/* Use distinguishing colors when user is interacting with the link */
	a[href]:focus,
	a[href]:hover {
		background: #f8f8f8;
		background: rgba(75%, 75%, 75%, .25);
		border-bottom-width: 3px;
		margin-bottom: -2px;
	}
	a[href]:active {
		color: #C00;
		border-color: #C00;
	}

	/* Backout above styling for W3C logo */
	.head .logo,
	.head .logo a {
		border: none;
		text-decoration: none;
		background: transparent;
	}

/******************************************************************************/
/*                                    Images                                  */
/******************************************************************************/

	img {
		border-style: none;
	}

	/* For autogen numbers, add
	   .caption::before, figcaption::before { content: "Figure " counter(figure) ". "; }
	*/

	figure, .figure, .sidefigure {
		page-break-inside: avoid;
		text-align: center;
		margin: 2.5em 0;
	}
	.figure img,    .sidefigure img,    figure img,
	.figure object, .sidefigure object, figure object {
		max-width: 100%;
		margin: auto;
	}
	.figure pre, .sidefigure pre, figure pre {
		text-align: left;
		display: table;
		margin: 1em auto;
	}
	.figure table, figure table {
		margin: auto;
	}
	@media screen and (min-width: 20em) {
		.sidefigure {
			float: right;
			width: 50%;
			margin: 0 0 0.5em 0.5em
		}
	}
	.caption, figcaption, caption {
		font-style: italic;
		font-size: 90%;
	}
	.caption::before, figcaption::before, figcaption > .marker {
		font-weight: bold;
	}
	.caption, figcaption {
		counter-increment: figure;
	}

	/* DL list is indented 2em, but figure inside it is not */
	dd > .figure, dd > figure { margin-left: -2em }

/******************************************************************************/
/*                             Colored Boxes                                  */
/******************************************************************************/

	.issue, .note, .example, .assertion, .advisement, blockquote {
		padding: .5em;
		border: .5em;
		border-left-style: solid;
		page-break-inside: avoid;
	}
	span.issue, span.note {
		padding: .1em .5em .15em;
		border-right-style: solid;
	}

	.issue,
	.note,
	.example,
	.advisement,
	.assertion,
	blockquote {
		margin: 1em auto;
	}
	.note  > p:first-child,
	.issue > p:first-child,
	blockquote > :first-child {
		margin-top: 0;
	}
	blockquote > :last-child {
		margin-bottom: 0;
	}

/** Blockquotes ***************************************************************/

	blockquote {
		border-color: silver;
	}

/** Open issue ****************************************************************/

	.issue {
		border-color: #E05252;
		background: #FBE9E9;
		counter-increment: issue;
		overflow: auto;
	}
	.issue::before, .issue > .marker {
		text-transform: uppercase;
		color: #AE1E1E;
		padding-right: 1em;
		text-transform: uppercase;
	}
	/* Add .issue::before { content: "Issue " counter(issue) " "; } for autogen numbers,
	   or use class="marker" to mark up the issue number in source. */

/** Example *******************************************************************/

	.example {
		border-color: #E0CB52;
		background: #FCFAEE;
		counter-increment: example;
		overflow: auto;
		clear: both;
	}
	.example::before, .example > .marker {
		text-transform: uppercase;
		color: #827017;
		min-width: 7.5em;
		display: block;
	}
	/* Add .example::before { content: "Example " counter(example) " "; } for autogen numbers,
	   or use class="marker" to mark up the example number in source. */

/** Non-normative Note ********************************************************/

	.note {
		border-color: #52E052;
		background: #E9FBE9;
		overflow: auto;
	}

	.note::before, .note > .marker,
	details.note > summary::before,
	details.note > summary > .marker {
		text-transform: uppercase;
		display: block;
		color: hsl(120, 70%, 30%);
	}
	/* Add .note::before { content: "Note"; } for autogen label,
	   or use class="marker" to mark up the label in source. */

	details.note > summary {
		display: block;
		color: hsl(120, 70%, 30%);
	}
	details.note[open] > summary {
		border-bottom: 1px silver solid;
	}

/** Assertion Box *************************************************************/
	/*  for assertions in algorithms */

	.assertion {
		border-color: #AAA;
		background: #EEE;
	}

/** Advisement Box ************************************************************/
	/*  for attention-grabbing normative statements */

	.advisement {
		border-color: orange;
		border-style: none solid;
		background: #FFEECC;
	}
	strong.advisement {
		display: block;
		text-align: center;
	}
	.advisement > .marker {
		color: #B35F00;
	}

/** Spec Obsoletion Notice ****************************************************/
	/* obnoxious obsoletion notice for older/abandoned specs. */

	details {
		display: block;
	}
	summary {
		font-weight: bolder;
	}

	.annoying-warning:not(details),
	details.annoying-warning:not([open]) > summary,
	details.annoying-warning[open] {
		background: #fdd;
		color: red;
		font-weight: bold;
		padding: .75em 1em;
		border: thick red;
		border-style: solid;
		border-radius: 1em;
	}
	.annoying-warning :last-child {
		margin-bottom: 0;
	}

@media not print {
	details.annoying-warning[open] {
		position: fixed;
		left: 1em;
		right: 1em;
		bottom: 1em;
		z-index: 1000;
	}
}

	details.annoying-warning:not([open]) > summary {
		text-align: center;
	}

/** Entity Definition Boxes ***************************************************/

	.def {
		padding: .5em 1em;
		background: #DEF;
		margin: 1.2em 0;
		border-left: 0.5em solid #8CCBF2;
	}

/******************************************************************************/
/*                                    Tables                                  */
/******************************************************************************/

	th, td {
		text-align: left;
		text-align: start;
	}

/** Property/Descriptor Definition Tables *************************************/

	table.def {
		/* inherits .def box styling, see above */
		width: 100%;
		border-spacing: 0;
	}

	table.def td,
	table.def th {
		padding: 0.5em;
		vertical-align: baseline;
		border-bottom: 1px solid #bbd7e9;
	}

	table.def > tbody > tr:last-child th,
	table.def > tbody > tr:last-child td {
		border-bottom: 0;
	}

	table.def th {
		font-style: italic;
		font-weight: normal;
		padding-left: 1em;
		width: 3em;
	}

	/* For when values are extra-complex and need formatting for readability */
	table td.pre {
		white-space: pre-wrap;
	}

	/* A footnote at the bottom of a def table */
	table.def           td.footnote {
		padding-top: 0.6em;
	}
	table.def           td.footnote::before {
		content: " ";
		display: block;
		height: 0.6em;
		width: 4em;
		border-top: thin solid;
	}

/** Data tables (and properly marked-up index tables) *************************/
	/*
		 <table class="data"> highlights structural relationships in a table
		 when correct markup is used (e.g. thead/tbody, th vs. td, scope attribute)

		 Use class="complex data" for particularly complicated tables --
		 (This will draw more lines: busier, but clearer.)

		 Use class="long" on table cells with paragraph-like contents
		 (This will adjust text alignment accordingly.)
		 Alternately use class="longlastcol" on tables, to have the last column assume "long".
	*/

	table {
		word-wrap: normal;
		overflow-wrap: normal;
		hyphens: manual;
	}

	table.data,
	table.index {
		margin: 1em auto;
		border-collapse: collapse;
		border: hidden;
		width: 100%;
	}
	table.data caption,
	table.index caption {
		max-width: 50em;
		margin: 0 auto 1em;
	}

	table.data td,  table.data th,
	table.index td, table.index th {
		padding: 0.5em 1em;
		border-width: 1px;
		border-color: silver;
		border-top-style: solid;
	}

	table.data thead td:empty {
		padding: 0;
		border: 0;
	}

	table.data  thead,
	table.index thead,
	table.data  tbody,
	table.index tbody {
		border-bottom: 2px solid;
	}

	table.data colgroup,
	table.index colgroup {
		border-left: 2px solid;
	}

	table.data  tbody th:first-child,
	table.index tbody th:first-child  {
		border-right: 2px solid;
		border-top: 1px solid silver;
		padding-right: 1em;
	}

	table.data th[colspan],
	table.data td[colspan] {
		text-align: center;
	}

	table.complex.data th,
	table.complex.data td {
		border: 1px solid silver;
		text-align: center;
	}

	table.data.longlastcol td:last-child,
	table.data td.long {
	 vertical-align: baseline;
	 text-align: left;
	}

	table.data img {
		vertical-align: middle;
	}


/*
Alternate table alignment rules

	table.data,
	table.index {
		text-align: center;
	}

	table.data  thead th[scope="row"],
	table.index thead th[scope="row"] {
		text-align: right;
	}

	table.data  tbody th:first-child,
	table.index tbody th:first-child  {
		text-align: right;
	}

Possible extra rowspan handling

	table.data  tbody th[rowspan]:not([rowspan='1']),
	table.index tbody th[rowspan]:not([rowspan='1']),
	table.data  tbody td[rowspan]:not([rowspan='1']),
	table.index tbody td[rowspan]:not([rowspan='1']) {
		border-left: 1px solid silver;
	}

	table.data  tbody th[rowspan]:first-child,
	table.index tbody th[rowspan]:first-child,
	table.data  tbody td[rowspan]:first-child,
	table.index tbody td[rowspan]:first-child{
		border-left: 0;
		border-right: 1px solid silver;
	}
*/

/******************************************************************************/
/*                                  Indices                                   */
/******************************************************************************/


/** Table of Contents *********************************************************/

	.toc a {
		/* More spacing; use padding to make it part of the click target. */
		padding-top: 0.1rem;
		/* Larger, more consistently-sized click target */
		display: block;
		/* Reverse color scheme */
		color: black;
		border-color: #3980B5;
		border-bottom-width: 3px !important;
		margin-bottom: 0px !important;
	}
	.toc a:visited {
		border-color: #054572;
	}
	.toc a:not(:focus):not(:hover) {
		/* Allow colors to cascade through from link styling */
		border-bottom-color: transparent;
	}

	.toc, .toc ol, .toc ul, .toc li {
		list-style: none; /* Numbers must be inlined into source */
		/* because generated content isn't search/selectable and markers can't do multilevel yet */
		margin:  0;
		padding: 0;
		line-height: 1.1rem; /* consistent spacing */
	}

	/* ToC not indented until third level, but font style & margins show hierarchy */
	.toc > li             { font-weight: bold;   }
	.toc > li li          { font-weight: normal; }
	.toc > li li li       { font-size:   95%;    }
	.toc > li li li li    { font-size:   90%;    }
	.toc > li li li li .secno { font-size: 85%; }
	.toc > li li li li li { font-size:   85%;    }
	.toc > li li li li li .secno { font-size: 100%; }

	/* @supports not (display:grid) { */
		.toc > li             { margin: 1.5rem 0;    }
		.toc > li li          { margin: 0.3rem 0;    }
		.toc > li li li       { margin-left: 2rem;   }

		/* Section numbers in a column of their own */
		.toc .secno {
			float: left;
			width: 4rem;
			white-space: nowrap;
		}

		.toc li {
			clear: both;
		}

		:not(li) > .toc              { margin-left:  5rem; }
		.toc .secno                  { margin-left: -5rem; }
		.toc > li li li .secno       { margin-left: -7rem; }
		.toc > li li li li .secno    { margin-left: -9rem; }
		.toc > li li li li li .secno { margin-left: -11rem; }

		/* Tighten up indentation in narrow ToCs */
		@media (max-width: 30em) {
			:not(li) > .toc              { margin-left:  4rem; }
			.toc .secno                  { margin-left: -4rem; }
			.toc > li li li              { margin-left:  1rem; }
			.toc > li li li .secno       { margin-left: -5rem; }
			.toc > li li li li .secno    { margin-left: -6rem; }
			.toc > li li li li li .secno { margin-left: -7rem; }
		}
	/* } */

	@supports (display:grid) and (display:contents) {
		/* Use #toc over .toc to override non-@supports rules. */
		#toc {
			display: grid;
			align-content: start;
			grid-template-columns: auto 1fr;
			grid-column-gap: 1rem;
			column-gap: 1rem;
			grid-row-gap: .6rem;
			row-gap: .6rem;
		}
		#toc h2 {
			grid-column: 1 / -1;
			margin-bottom: 0;
		}
		#toc ol,
		#toc li,
		#toc a {
			display: contents;
			/* Switch <a> to subgrid when supported */
		}
		#toc span {
			margin: 0;
		}
		#toc > .toc > li > a > span {
			/* The spans of the top-level list,
			   comprising the first items of each top-level section. */
			margin-top: 1.1rem;
		}
		#toc#toc .secno { /* Ugh, need more specificity to override base.css */
			grid-column: 1;
			width: auto;
			margin-left: 0;
		}
		#toc .content {
			grid-column: 2;
			width: auto;
			margin-right: 1rem;
		}
		#toc .content:hover {
			background: rgba(75%, 75%, 75%, .25);
			border-bottom: 3px solid #054572;
			margin-bottom: -3px;
		}
		#toc li li li .content {
			margin-left: 1rem;
		}
		#toc li li li li .content {
			margin-left: 2rem;
		}
	}


/** Index *********************************************************************/

	/* Index Lists: Layout */
	ul.index       { margin-left: 0; columns: 15em; text-indent: 1em hanging; }
	ul.index li    { margin-left: 0; list-style: none; break-inside: avoid; }
	ul.index li li { margin-left: 1em }
	ul.index dl    { margin-top: 0; }
	ul.index dt    { margin: .2em 0 .2em 20px;}
	ul.index dd    { margin: .2em 0 .2em 40px;}
	/* Index Lists: Typography */
	ul.index ul,
	ul.index dl { font-size: smaller; }
	@media not print {
		ul.index li span {
			white-space: nowrap;
			color: transparent; }
		ul.index li a:hover + span,
		ul.index li a:focus + span {
			color: #707070;
		}
	}

/** Index Tables *****************************************************/
	/* See also the data table styling section, which this effectively subclasses */

	table.index {
		font-size: small;
		border-collapse: collapse;
		border-spacing: 0;
		text-align: left;
		margin: 1em 0;
	}

	table.index td,
	table.index th {
		padding: 0.4em;
	}

	table.index tr:hover td:not([rowspan]),
	table.index tr:hover th:not([rowspan]) {
		background: #f7f8f9;
	}

	/* The link in the first column in the property table (formerly a TD) */
	table.index th:first-child a {
		font-weight: bold;
	}

/******************************************************************************/
/*                                    Print                                   */
/******************************************************************************/

	@media print {
		/* Pages have their own margins. */
		html {
			margin: 0;
		}
		/* Serif for print. */
		body {
			font-family: serif;
		}
	}
	@page {
		margin: 1.5cm 1.1cm;
	}

/******************************************************************************/
/*                                    Legacy                                  */
/******************************************************************************/

	/* This rule is inherited from past style sheets. No idea what it's for. */
	.hide { display: none }



/******************************************************************************/
/*                             Overflow Control                               */
/******************************************************************************/

	.figure .caption, .sidefigure .caption, figcaption {
		/* in case figure is overlarge, limit caption to 50em */
		max-width: 50rem;
		margin-left: auto;
		margin-right: auto;
	}
	.overlarge > table {
		/* limit preferred width of table */
		max-width: 50em;
		margin-left: auto;
		margin-right: auto;
	}

	@media (min-width: 55em) {
		.overlarge {
			margin-left: calc(13px + 26.5rem - 50vw);
			margin-right: calc(13px + 26.5rem - 50vw);
			max-width: none;
		}
	}
	@media screen and (min-width: 78em) {
		body:not(.toc-inline) .overlarge {
			/* 30.5em body padding 50em content area */
			margin-left: calc(40em - 50vw) !important;
			margin-right: calc(40em - 50vw) !important;
		}
	}
	@media screen and (min-width: 90em) {
		body:not(.toc-inline) .overlarge {
			/* 4em html margin 30.5em body padding 50em content area */
			margin-left: 0 !important;
			margin-right: calc(84.5em - 100vw) !important;
		}
	}

	@media not print {
		.overlarge {
			overflow-x: auto;
			/* See Lea Verou's explanation background-attachment:
			 * http://lea.verou.me/2012/04/background-attachment-local/
			 *
			background: top left  / 4em 100% linear-gradient(to right,  #ffffff, rgba(255, 255, 255, 0)) local,
			            top right / 4em 100% linear-gradient(to left, #ffffff, rgba(255, 255, 255, 0)) local,
			            top left  / 1em 100% linear-gradient(to right,  #c3c3c5, rgba(195, 195, 197, 0)) scroll,
			            top right / 1em 100% linear-gradient(to left, #c3c3c5, rgba(195, 195, 197, 0)) scroll,
			            white;
			background-repeat: no-repeat;
			*/
		}
	}
</style>
<style type="text/css">
    table, th, td {
      border: 1px solid black;
      border-collapse: collapse;
      vertical-align: top;
    }
    th, td {
      border-left: none;
      border-right: none;
      padding: 0px 10px;
    }
    th {
      text-align: center;
    }

    del { background: #fcc; color: #000; text-decoration: line-through; }
    ins { background: #cfc; color: #000; }
    blockquote .highlight:not(.idl) { background: initial; margin: initial; padding: 0.5em }
    blockquote ul { background: inherit; }
    blockquote code.highlight:not(.idl) { padding: initial; }
    blockquote c-[a] { color: inherit; } /* Keyword.Declaration */
    blockquote c-[b] { color: inherit; } /* Keyword.Type */
    blockquote c-[c] { color: inherit; } /* Comment */
    blockquote c-[d] { color: inherit; } /* Comment.Multiline */
    blockquote c-[e] { color: inherit; } /* Name.Attribute */
    blockquote c-[f] { color: inherit; } /* Name.Tag */
    blockquote c-[g] { color: inherit; } /* Name.Variable */
    blockquote c-[k] { color: inherit; } /* Keyword */
    blockquote c-[l] { color: inherit; } /* Literal */
    blockquote c-[m] { color: inherit; } /* Literal.Number */
    blockquote c-[n] { color: inherit; } /* Name */
    blockquote c-[o] { color: inherit; } /* Operator */
    blockquote c-[p] { color: inherit; } /* Punctuation */
    blockquote c-[s] { color: inherit; } /* Literal.String */
    blockquote c-[t] { color: inherit; } /* Literal.String.Single */
    blockquote c-[u] { color: inherit; } /* Literal.String.Double */
    blockquote c-[cp] { color: inherit; } /* Comment.Preproc */
    blockquote c-[c1] { color: inherit; } /* Comment.Single */
    blockquote c-[cs] { color: inherit; } /* Comment.Special */
    blockquote c-[kc] { color: inherit; } /* Keyword.Constant */
    blockquote c-[kn] { color: inherit; } /* Keyword.Namespace */
    blockquote c-[kp] { color: inherit; } /* Keyword.Pseudo */
    blockquote c-[kr] { color: inherit; } /* Keyword.Reserved */
    blockquote c-[ld] { color: inherit; } /* Literal.Date */
    blockquote c-[nc] { color: inherit; } /* Name.Class */
    blockquote c-[no] { color: inherit; } /* Name.Constant */
    blockquote c-[nd] { color: inherit; } /* Name.Decorator */
    blockquote c-[ni] { color: inherit; } /* Name.Entity */
    blockquote c-[ne] { color: inherit; } /* Name.Exception */
    blockquote c-[nf] { color: inherit; } /* Name.Function */
    blockquote c-[nl] { color: inherit; } /* Name.Label */
    blockquote c-[nn] { color: inherit; } /* Name.Namespace */
    blockquote c-[py] { color: inherit; } /* Name.Property */
    blockquote c-[ow] { color: inherit; } /* Operator.Word */
    blockquote c-[mb] { color: inherit; } /* Literal.Number.Bin */
    blockquote c-[mf] { color: inherit; } /* Literal.Number.Float */
    blockquote c-[mh] { color: inherit; } /* Literal.Number.Hex */
    blockquote c-[mi] { color: inherit; } /* Literal.Number.Integer */
    blockquote c-[mo] { color: inherit; } /* Literal.Number.Oct */
    blockquote c-[sb] { color: inherit; } /* Literal.String.Backtick */
    blockquote c-[sc] { color: inherit; } /* Literal.String.Char */
    blockquote c-[sd] { color: inherit; } /* Literal.String.Doc */
    blockquote c-[se] { color: inherit; } /* Literal.String.Escape */
    blockquote c-[sh] { color: inherit; } /* Literal.String.Heredoc */
    blockquote c-[si] { color: inherit; } /* Literal.String.Interpol */
    blockquote c-[sx] { color: inherit; } /* Literal.String.Other */
    blockquote c-[sr] { color: inherit; } /* Literal.String.Regex */
    blockquote c-[ss] { color: inherit; } /* Literal.String.Symbol */
    blockquote c-[vc] { color: inherit; } /* Name.Variable.Class */
    blockquote c-[vg] { color: inherit; } /* Name.Variable.Global */
    blockquote c-[vi] { color: inherit; } /* Name.Variable.Instance */
    blockquote c-[il] { color: inherit; } /* Literal.Number.Integer.Long */
  </style>
  <meta content="Bikeshed version 5a2c04fbf9f3418b378c5d733b60fe6fc575091b" name="generator">
  <link href="http://wg21.link/P1860R0" rel="canonical">
  <link href="https://isocpp.org/favicon.ico" rel="icon">
  <meta content="5950e84244ac360b8cc002ab48e9584a769440fb" name="document-revision">
<style>/* style-md-lists */

/* This is a weird hack for me not yet following the commonmark spec
   regarding paragraph and lists. */
[data-md] > :first-child {
    margin-top: 0;
}
[data-md] > :last-child {
    margin-bottom: 0;
}</style>
<style>/* style-counters */

body {
    counter-reset: example figure issue;
}
.issue {
    counter-increment: issue;
}
.issue:not(.no-marker)::before {
    content: "Issue " counter(issue);
}

.example {
    counter-increment: example;
}
.example:not(.no-marker)::before {
    content: "Example " counter(example);
}
.invalid.example:not(.no-marker)::before,
.illegal.example:not(.no-marker)::before {
    content: "Invalid Example" counter(example);
}

figcaption {
    counter-increment: figure;
}
figcaption:not(.no-marker)::before {
    content: "Figure " counter(figure) " ";
}</style>
<style>/* style-syntax-highlighting */

.highlight:not(.idl) { background: hsl(24, 20%, 95%); }
code.highlight { padding: .1em; border-radius: .3em; }
pre.highlight, pre > code.highlight { display: block; padding: 1em; margin: .5em 0; overflow: auto; border-radius: 0; }
c-[a] { color: #990055 } /* Keyword.Declaration */
c-[b] { color: #990055 } /* Keyword.Type */
c-[c] { color: #708090 } /* Comment */
c-[d] { color: #708090 } /* Comment.Multiline */
c-[e] { color: #0077aa } /* Name.Attribute */
c-[f] { color: #669900 } /* Name.Tag */
c-[g] { color: #222222 } /* Name.Variable */
c-[k] { color: #990055 } /* Keyword */
c-[l] { color: #000000 } /* Literal */
c-[m] { color: #000000 } /* Literal.Number */
c-[n] { color: #0077aa } /* Name */
c-[o] { color: #999999 } /* Operator */
c-[p] { color: #999999 } /* Punctuation */
c-[s] { color: #a67f59 } /* Literal.String */
c-[t] { color: #a67f59 } /* Literal.String.Single */
c-[u] { color: #a67f59 } /* Literal.String.Double */
c-[cp] { color: #708090 } /* Comment.Preproc */
c-[c1] { color: #708090 } /* Comment.Single */
c-[cs] { color: #708090 } /* Comment.Special */
c-[kc] { color: #990055 } /* Keyword.Constant */
c-[kn] { color: #990055 } /* Keyword.Namespace */
c-[kp] { color: #990055 } /* Keyword.Pseudo */
c-[kr] { color: #990055 } /* Keyword.Reserved */
c-[ld] { color: #000000 } /* Literal.Date */
c-[nc] { color: #0077aa } /* Name.Class */
c-[no] { color: #0077aa } /* Name.Constant */
c-[nd] { color: #0077aa } /* Name.Decorator */
c-[ni] { color: #0077aa } /* Name.Entity */
c-[ne] { color: #0077aa } /* Name.Exception */
c-[nf] { color: #0077aa } /* Name.Function */
c-[nl] { color: #0077aa } /* Name.Label */
c-[nn] { color: #0077aa } /* Name.Namespace */
c-[py] { color: #0077aa } /* Name.Property */
c-[ow] { color: #999999 } /* Operator.Word */
c-[mb] { color: #000000 } /* Literal.Number.Bin */
c-[mf] { color: #000000 } /* Literal.Number.Float */
c-[mh] { color: #000000 } /* Literal.Number.Hex */
c-[mi] { color: #000000 } /* Literal.Number.Integer */
c-[mo] { color: #000000 } /* Literal.Number.Oct */
c-[sb] { color: #a67f59 } /* Literal.String.Backtick */
c-[sc] { color: #a67f59 } /* Literal.String.Char */
c-[sd] { color: #a67f59 } /* Literal.String.Doc */
c-[se] { color: #a67f59 } /* Literal.String.Escape */
c-[sh] { color: #a67f59 } /* Literal.String.Heredoc */
c-[si] { color: #a67f59 } /* Literal.String.Interpol */
c-[sx] { color: #a67f59 } /* Literal.String.Other */
c-[sr] { color: #a67f59 } /* Literal.String.Regex */
c-[ss] { color: #a67f59 } /* Literal.String.Symbol */
c-[vc] { color: #0077aa } /* Name.Variable.Class */
c-[vg] { color: #0077aa } /* Name.Variable.Global */
c-[vi] { color: #0077aa } /* Name.Variable.Instance */
c-[il] { color: #000000 } /* Literal.Number.Integer.Long */
</style>
<style>/* style-selflinks */

.heading, .issue, .note, .example, li, dt {
    position: relative;
}
a.self-link {
    position: absolute;
    top: 0;
    left: calc(-1 * (3.5rem - 26px));
    width: calc(3.5rem - 26px);
    height: 2em;
    text-align: center;
    border: none;
    transition: opacity .2s;
    opacity: .5;
}
a.self-link:hover {
    opacity: 1;
}
.heading > a.self-link {
    font-size: 83%;
}
li > a.self-link {
    left: calc(-1 * (3.5rem - 26px) - 2em);
}
dfn > a.self-link {
    top: auto;
    left: auto;
    opacity: 0;
    width: 1.5em;
    height: 1.5em;
    background: gray;
    color: white;
    font-style: normal;
    transition: opacity .2s, background-color .2s, color .2s;
}
dfn:hover > a.self-link {
    opacity: 1;
}
dfn > a.self-link:hover {
    color: black;
}

a.self-link::before            { content: "¶"; }
.heading > a.self-link::before { content: "§"; }
dfn > a.self-link::before      { content: "#"; }</style>
<style>/* style-autolinks */

.css.css, .property.property, .descriptor.descriptor {
    color: #005a9c;
    font-size: inherit;
    font-family: inherit;
}
.css::before, .property::before, .descriptor::before {
    content: "‘";
}
.css::after, .property::after, .descriptor::after {
    content: "’";
}
.property, .descriptor {
    /* Don't wrap property and descriptor names */
    white-space: nowrap;
}
.type { /* CSS value <type> */
    font-style: italic;
}
pre .property::before, pre .property::after {
    content: "";
}
[data-link-type="property"]::before,
[data-link-type="propdesc"]::before,
[data-link-type="descriptor"]::before,
[data-link-type="value"]::before,
[data-link-type="function"]::before,
[data-link-type="at-rule"]::before,
[data-link-type="selector"]::before,
[data-link-type="maybe"]::before {
    content: "‘";
}
[data-link-type="property"]::after,
[data-link-type="propdesc"]::after,
[data-link-type="descriptor"]::after,
[data-link-type="value"]::after,
[data-link-type="function"]::after,
[data-link-type="at-rule"]::after,
[data-link-type="selector"]::after,
[data-link-type="maybe"]::after {
    content: "’";
}

[data-link-type].production::before,
[data-link-type].production::after,
.prod [data-link-type]::before,
.prod [data-link-type]::after {
    content: "";
}

[data-link-type=element],
[data-link-type=element-attr] {
    font-family: Menlo, Consolas, "DejaVu Sans Mono", monospace;
    font-size: .9em;
}
[data-link-type=element]::before { content: "<" }
[data-link-type=element]::after  { content: ">" }

[data-link-type=biblio] {
    white-space: pre;
}</style>
 <body class="h-entry">
  <div class="head">
   <p data-fill-with="logo"></p>
   <h1 class="p-name no-ref" id="title">P1860R0<br>C++ Networking Must Be Secure By Default</h1>
   <h2 class="no-num no-toc no-ref heading settled" id="subtitle"><span class="content">Published Proposal, <time class="dt-updated" datetime="2019-09-05">2019-09-05</time></span></h2>
   <div data-fill-with="spec-metadata">
    <dl>
     <dt>This version:
     <dd><a class="u-url" href="http://wg21.link/P1860R0">http://wg21.link/P1860R0</a>
     <dt>Authors:
     <dd>
      <dd class="editor p-author h-card vcard"><a class="p-name fn u-email email" href="mailto:achristensen@apple.com">Alex Christensen</a> (<span class="p-org org">Apple</span>)
     <dd>
      <dd class="editor p-author h-card vcard"><a class="p-name fn u-email email" href="mailto:jfbastien@apple.com">JF Bastien</a> (<span class="p-org org">Apple</span>)
     <dt>Audience:
     <dd>LEWG
     <dt>Project:
     <dd>ISO/IEC JTC1/SC22/WG21 14882: Programming Language — C++
     <dt>Source:
     <dd><a href="https://github.com/jfbastien/papers/blob/master/source/P1860R0.bs">github.com/jfbastien/papers/blob/master/source/P1860R0.bs</a>
    </dl>
   </div>
   <div data-fill-with="warning"></div>
   <hr title="Separator for header">
  </div>
  <nav data-fill-with="table-of-contents" id="toc">
   <h2 class="no-num no-toc no-ref" id="contents">Table of Contents</h2>
   <ol class="toc" role="directory">
    <li><a href="#motivation"><span class="secno">1</span> <span class="content">Motivation</span></a>
    <li><a href="#perf"><span class="secno">2</span> <span class="content">Performance</span></a>
    <li><a href="#api"><span class="secno">3</span> <span class="content">Proposed API Direction</span></a>
    <li>
     <a href="#appendix"><span class="secno">4</span> <span class="content">Appendix: Security Design</span></a>
     <ol class="toc">
      <li><a href="#root-cert"><span class="secno">4.1</span> <span class="content">Trusted Root Certificates</span></a>
      <li><a href="#inspection"><span class="secno">4.2</span> <span class="content">Certificate Inspection</span></a>
      <li><a href="#selfie"><span class="secno">4.3</span> <span class="content">Self Signed Certificates</span></a>
      <li><a href="#invalid-cert"><span class="secno">4.4</span> <span class="content">Accepting Invalid Certificates</span></a>
      <li><a href="#pin"><span class="secno">4.5</span> <span class="content">Key Pinning</span></a>
      <li><a href="#expire"><span class="secno">4.6</span> <span class="content">Certificate Expiration</span></a>
      <li><a href="#dns"><span class="secno">4.7</span> <span class="content">DNS Encryption</span></a>
      <li><a href="#plaintext"><span class="secno">4.8</span> <span class="content">Plaintext Traffic</span></a>
      <li><a href="#dtls"><span class="secno">4.9</span> <span class="content">UDP and DTLS</span></a>
      <li><a href="#client-cert"><span class="secno">4.10</span> <span class="content">Client Certificates</span></a>
      <li><a href="#experiments"><span class="secno">4.11</span> <span class="content">QUIC and Experimental Protocols</span></a>
      <li><a href="#agile"><span class="secno">4.12</span> <span class="content">Crypto Agility</span></a>
      <li><a href="#key-size"><span class="secno">4.13</span> <span class="content">Public Key Sizes</span></a>
      <li><a href="#cipher"><span class="secno">4.14</span> <span class="content">Cipher Suites</span></a>
      <li><a href="#sha1"><span class="secno">4.15</span> <span class="content">SHA1 Deprecation</span></a>
      <li><a href="#tls10"><span class="secno">4.16</span> <span class="content">TLS1.0 Deprecation</span></a>
      <li><a href="#revocation"><span class="secno">4.17</span> <span class="content">Revoking Individual Certificates</span></a>
      <li><a href="#errors"><span class="secno">4.18</span> <span class="content">Errors</span></a>
      <li><a href="#ports"><span class="secno">4.19</span> <span class="content">Default Ports</span></a>
      <li><a href="#timeouts"><span class="secno">4.20</span> <span class="content">Default Timeouts</span></a>
      <li><a href="#cache"><span class="secno">4.21</span> <span class="content">Connection Caching</span></a>
      <li><a href="#http-cache"><span class="secno">4.22</span> <span class="content">HTTP Caching</span></a>
      <li><a href="#ext"><span class="secno">4.23</span> <span class="content">Extensions</span></a>
     </ol>
    <li>
     <a href="#references"><span class="secno"></span> <span class="content">References</span></a>
     <ol class="toc">
      <li><a href="#informative"><span class="secno"></span> <span class="content">Informative References</span></a>
     </ol>
   </ol>
  </nav>
  <main>
   <h2 class="heading settled" data-level="1" id="motivation"><span class="secno">1. </span><span class="content">Motivation</span><a class="self-link" href="#motivation"></a></h2>
   <p>The C++ committee is considering adding networking to its standard library to
help keep C++ competitive and modern. This will be a great addition to C++.
However, we are concerned about the lack of Transport Layer Security (TLS)
support in the current specification <a data-link-type="biblio" href="#biblio-n4771">[N4771]</a>. We hope the Committee will
choose a design that encourages developers to write software that will keep
information safe, work with the internet as it is now, and continue to work with
the internet as it will be for the entire lifetime of their software.</p>
   <p>The concern we’re expressing is based on the authors' joint experience
implementing and deploying networking, web, internet, and security software to
over a billion users.</p>
   <p>Most users of C++ networking will want to write applications that run on a
client or server and communicate across an untrusted network such as the
internet. In such an environment, routers often silently <a href="https://www.icann.org/news/blog/what-is-a-man-in-the-middle-attack">record</a> data as they pass it along, or sometimes perform more active attacks such as
manipulating the packets of information, or entirely intercepting streams and
pretending to be the desired recipient. To combat these and many other types of
attacks, Transport Layer Security and Public Key Infrastructure have been
developed and <a href="https://transparencyreport.google.com/https/overview">their use is growing quickly worldwide</a>.
Various groups including the <a href="https://w3ctag.github.io/web-https/">World Wide Web Consortium</a> the <a href="https://letsencrypt.org/2017/06/28/hundred-million-certs.html">Linux Foundation</a> the <a href="https://www.eff.org/deeplinks/2018/12/encrypting-web-encrypting-net-year-review">Electronic Frontier Foundation</a> and <a href="https://blog.mozilla.org/security/2018/01/15/secure-contexts-everywhere/">all major browser vendors</a> have been working to promote the use of secure communication. To make programs
written in C++ vulnerable to these attacks would be a step in the wrong
direction.</p>
   <p>The Networking TS as it now stands provides basically the same capability as if
one were using the Berkeley Sockets API. While it is true that TLS libraries can
be and have been built on top of either the Networking TS or the Berkeley
Sockets API, many developers (especially newly learning developers) might be
ignorant of the need for TLS or its need for maintenance and would write
software that is vulnerable to Man-in-the-Middle attacks or cannot interface
with the growing amount of secure-only content on the internet. Using the
existing design will likely prolong the use of plaintext communication. Further,
they will be unable to communicate with the modern internet because many servers
only support HTTPS which uses TLS. By simply running <code class="highlight"><c- n>curl</c-> <c- o>-</c-><c- n>v</c-> <c- nl>http</c-><c- p>:</c-><c- c1>//apple.com/</c-></code> in a terminal you can see an example of a server that requires TLS to get
meaningful content. If we instead make C++ networking secure by default, naïve
developers will write software that communicates securely and is able to
interact with the modern web. Developers who absolutely want plaintext can still
opt-out of the secure default.</p>
   <p>We offer a sample API and implementation based on the Networking TS reference
implementation in <a data-link-type="biblio" href="#biblio-p1861r0">[P1861R0]</a>.</p>
   <h2 class="heading settled" data-level="2" id="perf"><span class="secno">2. </span><span class="content">Performance</span><a class="self-link" href="#perf"></a></h2>
   <p>A frequent pushback against security-by-default is its runtime cost, in line
with C++’s "you don’t pay for what you don’t use". We don’t think such pushback
is warranted here.</p>
   <p>Modern encryption algorithms have minimal overhead. CPU overhead for the
handshake, bulk encryption and decryption vary widely depending on which of the
many cipher suites are agreed upon by client and server (see <a href="https://www.cryptopp.com/benchmarks.html">benchmark</a>),
and also depending on <a href="https://en.wikipedia.org/wiki/AES_instruction_set">SIMD and special instruction support</a>.
Actual data
transmission rates can even be faster when using TLS over some networks because
costly deep packet inspection is fruitless and therefore not attempted by
routers and ISPs.</p>
   <p>TLS 1.2 requires an additional round trip for the TLS Handshake, but TLS 1.3 has
introduced <a href="https://blog.cloudflare.com/introducing-0-rtt/">0-RTT resumption</a>.
TCP also has a round trip required for connection establishment, but it is so
commonly found useful and worth the small overhead. The same is true of TLS.</p>
   <p>This applies to the majority of networking’s uses. We therefore do not think
performance concerns should prevent networking having TLS by default.</p>
   <h2 class="heading settled" data-level="3" id="api"><span class="secno">3. </span><span class="content">Proposed API Direction</span><a class="self-link" href="#api"></a></h2>
   <p>When constructing a TCP connection, there should be a configuration flag to
specify whether TLS is enabled. We propose that TLS default to on. If it is on,
you get either an encrypted TCP connection after a successful TLS handshake, or
an error when either the TCP connection or TLS handshake fail. As is common, the
handshake would negotiate the most secure version of TLS possible with the
connected client or server. UDP should have an analog with DTLS. The
specification should allow the system to maintain a set of trusted root
certificates or update cipher suites and key sizes without breaking binary or
source compatibility with existing programs. TLS server connections will need
only certificates and private keys to be configured and then the system can do
the rest, and we can encourage these keys to come from files rather than
compiling keys into binaries to extend the lifetime of binaries beyond the
lifetimes of the keys. TLS client connections will, by default, utilize secure
options for certificate validity checking and cipher suite negotiation. If a
developer wants to do advanced handshake manipulation such as adding
non-standard extensions, they can implement a library on top of the plaintext
TCP capability of C++ networking, but beginning developers will be able to write
software that communicates securely. If a developer explicitly sets a
configuration flag to specify that TLS is disabled, they will get a plaintext
connection.</p>
   <p>The existing Networking TS draft has similarities to the Berkeley Sockets API,
which has been the de-facto standard interface for networking for several
decades now. During those decades, the needs of secure networking have evolved
considerably. The IETF has been working to define <a data-link-type="biblio" href="#biblio-ietf-interface">[IETF-INTERFACE]</a> and <a data-link-type="biblio" href="#biblio-ietf-architecture">[IETF-ARCHITECTURE]</a> that allow
for secure or insecure communication with secure being the default. We should
use this work as a model when designing C++ networking and if we do so well it
will meet the needs of all interested parties: those interested in communication
in safe networks and those interested in communication with existing and future
infrastructure in the internet.</p>
   <p>Boost.Asio does have <a href="https://www.boost.org/doc/libs/1_66_0/doc/html/boost_asio/overview/ssl.html">a way to configure SSL</a>, <a href="https://www.boost.org/doc/libs/1_66_0/libs/beast/doc/html/beast/using_io/example_detect_ssl.html">as does Boost.Beast</a>.
This design should not be used because it requires additional configuration in
order to set up a secure connection. This additional complexity barrier would
promote the increase of use of insecure communication on the internet and make
it harder to learn to write secure web applications.</p>
   <h2 class="heading settled" data-level="4" id="appendix"><span class="secno">4. </span><span class="content">Appendix: Security Design</span><a class="self-link" href="#appendix"></a></h2>
   <p>The following are some things to consider when designing Secure C++ Networking:</p>
   <h3 class="heading settled" data-level="4.1" id="root-cert"><span class="secno">4.1. </span><span class="content">Trusted Root Certificates</span><a class="self-link" href="#root-cert"></a></h3>
   <p>Certificate chains establish the identity of the client or server with which we
are communicating. Certificate authorities verify identities with signed
certificates that include references to a root certificate (and possible
intermediate certificates). The other party must trust that the root certificate
has not been compromised for this system to work. The other party must already
have a copy of the trusted root certificates from certificate authorities that
they trust. Different systems may disagree on the trustworthiness of certain
certificate authorities, and the set of trusted root certificates must be
actively maintained. This may be the trickiest part of standardizing TLS in C++.</p>
   <p>Root certificates can be obtained from the system’s own trusted root certificate
store, or places such as <a href="https://curl.haxx.se/docs/caextract.html">Mozilla’s CA certificates</a>.
There needs to be a way
to update these if certificates are revoked. Developers and C++ implementations
will want the ability to add or remove trusted root certificates. Systems might
also want the ability to do so, such as <a href="https://thehackernews.com/2017/07/chrome-certificate-authority.html">when this happened</a>.
Root certificates also expire and the list is subject to additions and removals,
so the system implementing secure networking must provide updates to its root
certificates.</p>
   <h3 class="heading settled" data-level="4.2" id="inspection"><span class="secno">4.2. </span><span class="content">Certificate Inspection</span><a class="self-link" href="#inspection"></a></h3>
   <p>By default establishing a connection to a peer with an untrusted or invalid
certificate should be an error, but we will need to have hooks for certificate
inspection so a program can have the ability to accept or reject a certificate
chain during a TLS handshake. This is needed for several common security
techniques.</p>
   <h3 class="heading settled" data-level="4.3" id="selfie"><span class="secno">4.3. </span><span class="content">Self Signed Certificates</span><a class="self-link" href="#selfie"></a></h3>
   <p>Generating self-signed certificates is easy but often discouraged because the
certificates are not trusted by CAs with widely-distributed root certificates.
People do use them so it should be possible. There should be some hoops to jump
through to get self-signed certificates to work. People doing local testing
can’t get publicly trusted certificates easily without a public IP address, so
the ability to accept self signed certificates makes testing server software
much easier.</p>
   <h3 class="heading settled" data-level="4.4" id="invalid-cert"><span class="secno">4.4. </span><span class="content">Accepting Invalid Certificates</span><a class="self-link" href="#invalid-cert"></a></h3>
   <p>A common response to invalid or untrusted certificates is to show the user a
warning during the TLS handshake. For example, if a server’s certificate has
recently expired, a user might want to remind the administrator to renew the
certificate and then manually proceed with caution.</p>
   <h3 class="heading settled" data-level="4.5" id="pin"><span class="secno">4.5. </span><span class="content">Key Pinning</span><a class="self-link" href="#pin"></a></h3>
   <p>With the ability to inspect certificates comes the ability to do things like
only trusting a certain certificate or public key for a certain domain
regardless of whether a certificate authority has verified a certificate chain.
This is sometimes used to protect against compromised certificate authorities
and other PKI breakdowns. Some banks use pinned certificates to provide more
security, but using pinned certificates requires a separate secure channel for
sending updates when certificates expire. Including the ability to inspect
certificates during TLS handshakes will allow certificate pinning to be
implemented.</p>
   <h3 class="heading settled" data-level="4.6" id="expire"><span class="secno">4.6. </span><span class="content">Certificate Expiration</span><a class="self-link" href="#expire"></a></h3>
   <p>If you’re writing server software and using PKI, you’re going to need to update
your certificates every 6 months to 2 years. The closest thing to permanent
certificates is scripts that automatically renew server certificates with a
certificate authority before they expire but that behavior should probably not
be standardized in the STL. Ideally the certificates would come from a file
rather than being hard-coded into executables to extend the lifetime of the
server software beyond 2 years.</p>
   <h3 class="heading settled" data-level="4.7" id="dns"><span class="secno">4.7. </span><span class="content">DNS Encryption</span><a class="self-link" href="#dns"></a></h3>
   <p>DNS over HTTPS, DNS over TLS, and others prevent eavesdropping and various other
attacks and are gaining support. The ability to do DNS over HTTPS should be as
easy as setting up a connection with TLS in C++ networking.</p>
   <h3 class="heading settled" data-level="4.8" id="plaintext"><span class="secno">4.8. </span><span class="content">Plaintext Traffic</span><a class="self-link" href="#plaintext"></a></h3>
   <p>We should have a way to do something to prevent encryption for use in trusted
networks or for communication with legacy servers. The whole point of this paper
is that this must not be the only option, but it has important uses.</p>
   <h3 class="heading settled" data-level="4.9" id="dtls"><span class="secno">4.9. </span><span class="content">UDP and DTLS</span><a class="self-link" href="#dtls"></a></h3>
   <p>There should be options to use UDP with and without DTLS with secure being
default.</p>
   <h3 class="heading settled" data-level="4.10" id="client-cert"><span class="secno">4.10. </span><span class="content">Client Certificates</span><a class="self-link" href="#client-cert"></a></h3>
   <p>We ought to be able to support them if you write some extra code. Pharmaceutical
companies and militaries use them for everything because the server is sending
sensitive information to the client, and it must verify its identity. Common web
services do not use them, so requesting client certificates should be
configurable by the server program.</p>
   <h3 class="heading settled" data-level="4.11" id="experiments"><span class="secno">4.11. </span><span class="content">QUIC and Experimental Protocols</span><a class="self-link" href="#experiments"></a></h3>
   <p>There is a steady stream of experiments that improve things. We should not
standardize everything, but things like QUIC have great potential. We should
establish guidelines on what constitutes "significant adoption" required for
further standardization. We should also design the interface to be able to
support QUIC.</p>
   <h3 class="heading settled" data-level="4.12" id="agile"><span class="secno">4.12. </span><span class="content">Crypto Agility</span><a class="self-link" href="#agile"></a></h3>
   <p>Cryptography is a field that is affected by new developments in computational
power and algorithms. Communication that was thought to be secure in years past
has been shown to be insecure today, and today’s secure algorithms will likely
also need updating as time progresses. If C++ networking is designed such that
bytes are sent and received through a black-box secure communication system,
that system can be updated to keep communication secure while keeping existing
programs working with modern networks.</p>
   <p>This introduces a new aspect of binary compatibility the C++ committee should be
aware of. For example, if a certain cipher suite is shown to be insecure, an
update might remove it from the set of supported cipher suite to select from
during a TLS handshake. If that cipher suite happened to be the only cipher
suite supported by a desired communication partner, the update will break the
ability to communicate with that peer. In practice, good TLS implementations
offer many cipher suites to choose from and they are kept up to date in order to
prevent such problems, but networking software that is widely deployed in
undermaintained networks do risk such breakage.</p>
   <p>Here are some examples of elements of a secure communication system that may
need updating in addition to the routine updating of certificates:</p>
   <h3 class="heading settled" data-level="4.13" id="key-size"><span class="secno">4.13. </span><span class="content">Public Key Sizes</span><a class="self-link" href="#key-size"></a></h3>
   <p>There need to be able to be updates on what constitutes "enough bits of
security" without recompiling. "RSA claims that 1024-bit keys are likely to
become crackable some time between 2006 and 2010 and that 2048-bit keys are
sufficient until 2030" <a href="https://en.wikipedia.org/wiki/Key_size">according to Wikipedia</a>.
An operating system running
old software ought to be able to update its key size requirements, and programs
using C++ networking may want to customize how they handle and accept key sizes.</p>
   <h3 class="heading settled" data-level="4.14" id="cipher"><span class="secno">4.14. </span><span class="content">Cipher Suites</span><a class="self-link" href="#cipher"></a></h3>
   <p><a href="https://boringssl.googlesource.com/boringssl/">boringssl</a> has deprecated some
older cipher suites that they think are not being used any more. When a cipher
suite has been proven insecure, it must be deprecated and its use must not be
considered secure any more. In order to do this in a compatible way, the system
must handle cipher suite selection and updating with the ability to customize
behavior.</p>
   <h3 class="heading settled" data-level="4.15" id="sha1"><span class="secno">4.15. </span><span class="content">SHA1 Deprecation</span><a class="self-link" href="#sha1"></a></h3>
   <p>TLS1.2 specification says to use SHA1 because it was written well before SHA1
was <a href="https://shattered.io">shown to not be secure</a>. We need the ability to
deprecate algorithms and protocols while maintaining source compatibility with
simple software. Binary compatibility is probably out of the question, so we
will probably need a special <code class="highlight"><c- n>std</c-><c- o>::</c-><c- n>networking</c-></code> namespace that does not promise
binary compatibility if we allow deep control of the algorithms used, but if we
use a black-box things like this can be done underneath us.</p>
   <h3 class="heading settled" data-level="4.16" id="tls10"><span class="secno">4.16. </span><span class="content">TLS1.0 Deprecation</span><a class="self-link" href="#tls10"></a></h3>
   <p><a href="https://tools.ietf.org/html/rfc7457#section-2.3">TLS 1.0 is definitely not secure</a>,
and TLS 1.1 had some
updates in TLS 1.2. C++ implementations should support the latest and best
practices in encryption. There needs to be a path to deprecation that can be
done without breaking existing programs.</p>
   <h3 class="heading settled" data-level="4.17" id="revocation"><span class="secno">4.17. </span><span class="content">Revoking Individual Certificates</span><a class="self-link" href="#revocation"></a></h3>
   <p>The system might provide such a service. Sometimes people are desperately trying
to broadcast that they have been breached. There should be a way to get updates,
but maybe no requirements because sometimes you might not want to trust anyone
to give you revoked certificate list updates. Online Certificate Status Protocol
and Certificate Revocation Lists are used to distribute such revocations.</p>
   <h3 class="heading settled" data-level="4.18" id="errors"><span class="secno">4.18. </span><span class="content">Errors</span><a class="self-link" href="#errors"></a></h3>
   <p>There are a lot of errors. Many of them must result in failure or the entire
protocol is insecure. We probably shouldn’t ask the program if it wants to
continue in such cases. Sometimes, though, we might want to continue. It’s hard
to decide where to draw the line sometimes.</p>
   <h3 class="heading settled" data-level="4.19" id="ports"><span class="secno">4.19. </span><span class="content">Default Ports</span><a class="self-link" href="#ports"></a></h3>
   <p>443 is the default port for HTTPS. Obviously the port must be configurable.</p>
   <h3 class="heading settled" data-level="4.20" id="timeouts"><span class="secno">4.20. </span><span class="content">Default Timeouts</span><a class="self-link" href="#timeouts"></a></h3>
   <p>Some network libraries use one minute of no response from a client or server as
an indication that the connection has been lost, but some network conditions
require waiting for more time for very important things. This must be
configurable.</p>
   <h3 class="heading settled" data-level="4.21" id="cache"><span class="secno">4.21. </span><span class="content">Connection Caching</span><a class="self-link" href="#cache"></a></h3>
   <p>High level structures such as a cache of active connections can lead to great
performance improvements but a client might want to terminate connections or
have multiple connections to the same server for many reasons. Sometimes
retrying a connection to the same server will result in fewer <a href="https://en.wikipedia.org/wiki/Hop_(networking)">hops</a>.
Such structures should
not be included in the STL right now.</p>
   <h3 class="heading settled" data-level="4.22" id="http-cache"><span class="secno">4.22. </span><span class="content">HTTP Caching</span><a class="self-link" href="#http-cache"></a></h3>
   <p>HTTP and its caching is a box of worms we should probably leave to boost and
other libraries for now. It’s fraught with state, cookies, and other fun things.</p>
   <h3 class="heading settled" data-level="4.23" id="ext"><span class="secno">4.23. </span><span class="content">Extensions</span><a class="self-link" href="#ext"></a></h3>
   <p>TLS is designed to be quite extendable. There are some current extensions that
we will want to support in a way that can be added to in the future. For
example, in order to use the HTTP2 protocol, you must include an extension
(ALPN) in the ClientHello TLS message indicating such support and you must
verify the server sent a corresponding extension indicating it understands
HTTP2. To support this, we should allow a property to be set with the ALPN
information rather than having the C++ networking user encode their own TLS
extensions. Similar approaches should be taken with other TLS extensions in an
expandable way.</p>
   <p>This is not an exhaustive list of considerations, but with many of them at some
point a line will need to be drawn and we will need to say "If you want to do
that, implement your own library."</p>
  </main>
<script>
(function() {
  "use strict";
  var collapseSidebarText = '<span aria-hidden="true">←</span> '
                          + '<span>Collapse Sidebar</span>';
  var expandSidebarText   = '<span aria-hidden="true">→</span> '
                          + '<span>Pop Out Sidebar</span>';
  var tocJumpText         = '<span aria-hidden="true">↑</span> '
                          + '<span>Jump to Table of Contents</span>';

  var sidebarMedia = window.matchMedia('screen and (min-width: 78em)');
  var autoToggle   = function(e){ toggleSidebar(e.matches) };
  if(sidebarMedia.addListener) {
    sidebarMedia.addListener(autoToggle);
  }

  function toggleSidebar(on) {
    if (on == undefined) {
      on = !document.body.classList.contains('toc-sidebar');
    }

    /* Don’t scroll to compensate for the ToC if we’re above it already. */
    var headY = 0;
    var head = document.querySelector('.head');
    if (head) {
      // terrible approx of "top of ToC"
      headY += head.offsetTop + head.offsetHeight;
    }
    var skipScroll = window.scrollY < headY;

    var toggle = document.getElementById('toc-toggle');
    var tocNav = document.getElementById('toc');
    if (on) {
      var tocHeight = tocNav.offsetHeight;
      document.body.classList.add('toc-sidebar');
      document.body.classList.remove('toc-inline');
      toggle.innerHTML = collapseSidebarText;
      if (!skipScroll) {
        window.scrollBy(0, 0 - tocHeight);
      }
      tocNav.focus();
      sidebarMedia.addListener(autoToggle); // auto-collapse when out of room
    }
    else {
      document.body.classList.add('toc-inline');
      document.body.classList.remove('toc-sidebar');
      toggle.innerHTML = expandSidebarText;
      if (!skipScroll) {
        window.scrollBy(0, tocNav.offsetHeight);
      }
      if (toggle.matches(':hover')) {
        /* Unfocus button when not using keyboard navigation,
           because I don’t know where else to send the focus. */
        toggle.blur();
      }
    }
  }

  function createSidebarToggle() {
    /* Create the sidebar toggle in JS; it shouldn’t exist when JS is off. */
    var toggle = document.createElement('a');
      /* This should probably be a button, but appearance isn’t standards-track.*/
    toggle.id = 'toc-toggle';
    toggle.class = 'toc-toggle';
    toggle.href = '#toc';
    toggle.innerHTML = collapseSidebarText;

    sidebarMedia.addListener(autoToggle);
    var toggler = function(e) {
      e.preventDefault();
      sidebarMedia.removeListener(autoToggle); // persist explicit off states
      toggleSidebar();
      return false;
    }
    toggle.addEventListener('click', toggler, false);


    /* Get <nav id=toc-nav>, or make it if we don’t have one. */
    var tocNav = document.getElementById('toc-nav');
    if (!tocNav) {
      tocNav = document.createElement('p');
      tocNav.id = 'toc-nav';
      /* Prepend for better keyboard navigation */
      document.body.insertBefore(tocNav, document.body.firstChild);
    }
    /* While we’re at it, make sure we have a Jump to Toc link. */
    var tocJump = document.getElementById('toc-jump');
    if (!tocJump) {
      tocJump = document.createElement('a');
      tocJump.id = 'toc-jump';
      tocJump.href = '#toc';
      tocJump.innerHTML = tocJumpText;
      tocNav.appendChild(tocJump);
    }

    tocNav.appendChild(toggle);
  }

  var toc = document.getElementById('toc');
  if (toc) {
    createSidebarToggle();
    toggleSidebar(sidebarMedia.matches);

    /* If the sidebar has been manually opened and is currently overlaying the text
       (window too small for the MQ to add the margin to body),
       then auto-close the sidebar once you click on something in there. */
    toc.addEventListener('click', function(e) {
      if(e.target.tagName.toLowerCase() == "a" && document.body.classList.contains('toc-sidebar') && !sidebarMedia.matches) {
        toggleSidebar(false);
      }
    }, false);
  }
  else {
    console.warn("Can’t find Table of Contents. Please use <nav id='toc'> around the ToC.");
  }

  /* Wrap tables in case they overflow */
  var tables = document.querySelectorAll(':not(.overlarge) > table.data, :not(.overlarge) > table.index');
  var numTables = tables.length;
  for (var i = 0; i < numTables; i++) {
    var table = tables[i];
    var wrapper = document.createElement('div');
    wrapper.className = 'overlarge';
    table.parentNode.insertBefore(wrapper, table);
    wrapper.appendChild(table);
  }

})();
</script>
  <h2 class="no-num no-ref heading settled" id="references"><span class="content">References</span><a class="self-link" href="#references"></a></h2>
  <h3 class="no-num no-ref heading settled" id="informative"><span class="content">Informative References</span><a class="self-link" href="#informative"></a></h3>
  <dl>
   <dt id="biblio-ietf-architecture">[IETF-ARCHITECTURE]
   <dd><a href="https://tools.ietf.org/html/draft-ietf-taps-arch-03">An Architecture for Transport Services</a>. 2019-03-11. URL: <a href="https://tools.ietf.org/html/draft-ietf-taps-arch-03">https://tools.ietf.org/html/draft-ietf-taps-arch-03</a>
   <dt id="biblio-ietf-interface">[IETF-INTERFACE]
   <dd><a href="https://tools.ietf.org/html/draft-ietf-taps-interface-03">An Abstract Application Layer Interface to Transport Services</a>. 2019-03-11. URL: <a href="https://tools.ietf.org/html/draft-ietf-taps-interface-03">https://tools.ietf.org/html/draft-ietf-taps-interface-03</a>
   <dt id="biblio-n4771">[N4771]
   <dd>Jonathan Wakely. <a href="https://wg21.link/n4771">Working Draft, C++ Extensions for Networking</a>. 8 October 2018. URL: <a href="https://wg21.link/n4771">https://wg21.link/n4771</a>
   <dt id="biblio-p1861r0">[P1861R0]
   <dd><a href="https://wg21.link/P1861R0">Secure Connections in Networking TS</a>. 2019-09-05. URL: <a href="https://wg21.link/P1861R0">https://wg21.link/P1861R0</a>
  </dl>