Re: [DNSOP] Proposal for a new record type: SNI

[Ben Schwartz <bemasc@google.com>]

On Tue, Feb 14, 2017 at 7:51 PM, Adrien de Croy <adrien@qbik.com> wrote:

>
>
> presuming that the client will have to look up the hostname of the
> destination at some stage, and presuming that a passive network attacker
> may see DNS requests as well as TCP connections, how does this help?
>
> Or does this require the use of DNS over TLS.
>

The draft says:


   A passive adversary who monitors the client's DNS queries could learn
   which domain the client is accessing, defeating the confidentiality
   benefits of this record type.  Therefore, clients wishing to conceal
   browsing history from a passive adversary SHOULD also use DNS over
   TLS [RFC7858 <https://tools.ietf.org/html/rfc7858>].  However,
clients MAY use SNI records with standard
   DNS, in order to provide protection against a weak passive adversary
   who can monitor only the link between the client and the TLS server,
   not the link between the client and the DNS server.


And also there will be leakage of certificate IDs in OCSP lookups which
> cannot be secured due to the paradox that would create.  An attacker could
> mine sites for cert IDs and do a reverse mapping from that.
>

Interesting observation!  I'll add a note.  However, I don't think this is
a big problem.  The goal is not to hide which certificate is being used.
The goal is to hide which domain is being accessed within a multi-domain
(SAN/UCC or wildcard) certificate.


> Adrien
>
> ------ Original Message ------
> From: "Ben Schwartz" <bemasc@google.com>
> To: "Robert Edmonds" <edmonds@mycre.ws>
> Cc: "dnsop@ietf.org" <dnsop@ietf.org>
> Sent: 15/02/2017 9:03:09 AM
> Subject: Re: [DNSOP] Proposal for a new record type: SNI
>
>
>
> On Tue, Feb 14, 2017 at 2:16 PM, Robert Edmonds <edmonds@mycre.ws> wrote:
>
>> Ben Schwartz wrote:
>> > Hi dnsop,
>> >
>> > I've written a draft proposal to improve the privacy of TLS
>> connections, by
>> > letting servers use the DNS to tell clients what SNI to send.
>> >
>> > https://tools.ietf.org/html/draft-schwartz-dns-sni-01
>> >
>> > I've incorporated some helpful feedback [1] from the TLS WG, but now I
>> > could use your help analyzing the DNS side. All comments welcome; this
>> > draft will change based on your feedback.
>> >
>> > One particular issue that I could use advice on: should this be a new
>> > record type, or should it reuse/repurpose an existing type like SRV or
>> PTR?
>> >
>> > Thanks,
>> > Ben
>> >
>> > [1] https://www.ietf.org/mail-archive/web/tls/current/msg22353.html
>>
>> Hi, Ben:
>>
>> I'm kind of curious: your examples are pretty HTTP-centric, and HTTP
>> already has some pretty strong features for origins to persistently
>> modify how clients perform TLS, i.e., HTTP Strict Transport Security and
>> HTTP Public Key Pinning, along with preloading of those settings by the
>> browser vendors. Why not follow that same model for the functionality in
>> your draft?
>>
>> --
>> Robert Edmonds
>>
>
> Hi Robert,
>
> While this technique would apply to any use of TLS, you're right that I'm
> mainly motivated by improvements for HTTPS.
>
> It's true, we could accomplish something like this by preloading a data
> file into browsers.  In some sense, this is also true for any aspect of
> DNS!  Obviously, preloading fares very badly when the data in question is
> valid for short times, or applies to many thousands or millions of domains,
> and I think both problems apply here.
>
> For example, a CDN that operates DNS on behalf of its customers could
> apply SNI records to all of their domains.  Preloading all of those domains
> into every browser seems impractical, and the list will quickly become
> outdated.
>
> Without preloading, we cannot solve the problem of revealing the
> destination in the initial connection.
>
> I would also note that HSTS and HPKP could not have been implemented using
> insecure DNS, given their adversary model.  The SNI record is very
> different, and does not require DNSSEC.
>
> --Ben
>
>