Re: [DNSOP] Proposal for a new record type: SNI

Robert Edmonds <edmonds@mycre.ws> Tue, 21 February 2017 00:06 UTC

Return-Path: <edmonds@mycre.ws>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D261D129467 for <dnsop@ietfa.amsl.com>; Mon, 20 Feb 2017 16:06:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.903
X-Spam-Level:
X-Spam-Status: No, score=-1.903 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Nvias8Jg8GIQ for <dnsop@ietfa.amsl.com>; Mon, 20 Feb 2017 16:06:25 -0800 (PST)
Received: from mycre.ws (mycre.ws [45.33.102.105]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 53CD112943B for <dnsop@ietf.org>; Mon, 20 Feb 2017 16:06:25 -0800 (PST)
Received: by chase.mycre.ws (Postfix, from userid 1000) id B11E512C0DC6; Mon, 20 Feb 2017 19:06:24 -0500 (EST)
Date: Mon, 20 Feb 2017 19:06:24 -0500
From: Robert Edmonds <edmonds@mycre.ws>
To: John R Levine <johnl@taugh.com>
Message-ID: <20170221000624.wxgvpytby7ozznxe@mycre.ws>
References: <alpine.DEB.2.11.1702201458030.23970@grey.csi.cam.ac.uk> <20170220211925.1906.qmail@ary.lan> <CAHw9_i+3zDg5tTnPOstiGcH6RvjnAJgNKpkeHV=0-+mN7VNAxQ@mail.gmail.com> <alpine.OSX.2.20.1702201527550.6009@ary.local>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <alpine.OSX.2.20.1702201527550.6009@ary.local>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/wAR3vYrPjDviyUdPY4utimRvBh4>
Cc: dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] Proposal for a new record type: SNI
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Feb 2017 00:06:27 -0000

John R Levine wrote:
> > http://www.bieberfever.com/ ("The Official Juston Bieber Fan Club") is
> > hosted by Akamai on 23.38.103.18.
> > According to DNSDB (IMO the best passive DNS service), there are 605
> > other sites *also* hosted on 23.38.103.18.
> 
> > No doubt pervasive monitors (and others) will use passive DNS systems
> > to build a map of SNI DNS RRs, but I'd much much rather have the men
> > in black thinking that I'm visiting www.precisiondoor.net,
> > www.theman.in, or www.worldsleadingcruiselines.com than knowing my
> > dirty little secret love of the Bieb...
> 
> I really don't get this.  The bad guys we're worried about have to be
> sophisticated enough to do a packet capture and pick the SNI bits out of TLS
> handshakes.  How plausible is it that those bad guys would say, oh, using a
> script to find the cert hashes that will reveal the specific site is too
> hard so never mind?

Isn't the server's certificate encrypted in TLS 1.3?

And even in previous versions of TLS, at least in the CDN world it's
somewhat common to put unrelated domains on the same SAN certificate.

-- 
Robert Edmonds