draft-mm-wg-effect-encrypt-13 Sections 6.2-6.4
Martin Thomson <martin.thomson@gmail.com> Tue, 28 November 2017 06:51 UTC
Return-Path: <martin.thomson@gmail.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BB751127876 for <ietf@ietfa.amsl.com>; Mon, 27 Nov 2017 22:51:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vxa9gf_OpGZ6 for <ietf@ietfa.amsl.com>; Mon, 27 Nov 2017 22:51:39 -0800 (PST)
Received: from mail-oi0-x22c.google.com (mail-oi0-x22c.google.com [IPv6:2607:f8b0:4003:c06::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1150F1200E5 for <ietf@ietf.org>; Mon, 27 Nov 2017 22:51:39 -0800 (PST)
Received: by mail-oi0-x22c.google.com with SMTP id a75so21267260oib.1 for <ietf@ietf.org>; Mon, 27 Nov 2017 22:51:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=HC5wKV2i5RJZPBdTwF53KrZrVAa2Y7rkB4UdRzsvi0w=; b=TWGf+Yn2FG1xlxKcqK1GZdpySFQ7PyhkAuknvItfRP3hMAC7bYfZZwRzEWcLKrRmm4 pFIfMimS9BIpSSeuoAun8+s6Rr2rae8SmXK2v8SOX5dG5dpTF6QnGVxV4ai2+3y2KYyn gd/BxlTOKcPZGR7cEhp5+3QgM+FcGnm9qnpLZIK7W+qAgw+coJkZpkoMZUQqrwK0oChX Zt+7Y8+PYrtdRf+TsBDc+JvZwrKtcgGiKobuXouWqa8nvw0DPxKrg84Eqah2gbQ24Z4h MhR4ZJrUX2MOd10DpcEyFTkZW18LaFOqcktbgu4RUurMXQW3KvXrPE7+bYbaV0iPrkGQ qoFw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=HC5wKV2i5RJZPBdTwF53KrZrVAa2Y7rkB4UdRzsvi0w=; b=Ra0xg/7C3d9YSn8MEY+KGS/UgEhv4/+RZq5CsV4tVQKQgfW1OK54JNCtb1Z0mdHVq+ gU4UFd4ZAaYiVGVnTiK5Q20lgeXDt9TYNegZg9ZRmf6XlvDmSLo1g76mdRlMuK2/zM+u dGSTlp3NE99NjwZPhuyP57T5c1xJqqqym2knPeEmcUacfVK2+2qEjKgJX6Y8RUpn5Yqx RTbYG6gUipMfvFwOEIQp1rWFdRYu16ndBABukfBQo4Z9Ywn6AJqzYSz5dx0H3jC0UpPS GVeHPNARwh+xOXzlYDuv5fDj4M7Ql5Y5XBwkm34z8lwiZpfRe2EVnn/pU8ZORFQkYD6k QCWQ==
X-Gm-Message-State: AJaThX7aUIFoq/C2uHLy9SwQMmSdmkQIPVuGUs4yVe7Wpd769C9oAFp0 YqAjld4ZpulS0DM0vHa3e9qHLaLbdXs/7rkgUmy2ol0T
X-Google-Smtp-Source: AGs4zMYX6UUNVE5f9qxxSbKlhrnFDMK8LyHswdTRtiPYw7AVgpjBuCEqMFljYWqOqoXXSCOuS9pxseuHuRVREkNjwiA=
X-Received: by 10.202.170.143 with SMTP id t137mr18564893oie.313.1511851898159; Mon, 27 Nov 2017 22:51:38 -0800 (PST)
MIME-Version: 1.0
Received: by 10.157.8.11 with HTTP; Mon, 27 Nov 2017 22:51:37 -0800 (PST)
From: Martin Thomson <martin.thomson@gmail.com>
Date: Tue, 28 Nov 2017 17:51:37 +1100
Message-ID: <CABkgnnU5jd--NAodUMsnDf1Ei036hd9WPmK7qHFtNa=5=vhoYw@mail.gmail.com>
Subject: draft-mm-wg-effect-encrypt-13 Sections 6.2-6.4
To: "ietf@ietf.org" <ietf@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/6iLwZ2noGQ92tiZQMQ0BwlTOgEI>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Nov 2017 06:51:41 -0000
I haven't time at the moment to go through this document in detail. But I did notice a few obvious errors in the mentioned sections. 6.2 SNI encryption has been adopted by the TLS WG, but that doesn't mean that all future versions of TLS will include the capability - or even be able to use it - as the text implies. Encrypting SNI calls for some hard trade-offs that likely mean that encryption won't be universally deployed. I do appreciate the effort to forewarn about this, but it misses the point somewhat. The point here is that SNI is being used as a proxy for identification of content. That it is a poor proxy is widely acknowledged (though not in the draft), but it has been more or less accepted as adequate for some applications of content-based discrimination. Let's say that we accept that as implicit - rather than a cleaner explicit statement - and continue to focus on identification of content via SNI. In that case, RFC 7540 defined something that should be more of a concern: connection coalescing. That feature is also widely implemented in browsers. The ORIGIN frame (draft-ietf-httpbis-origin-frame) makes this stronger by potentially taking DNS out of the loop. Add the likely-to-be-adopted draft-bishop-httpbis-http2-additional-certs and things far more challenging for snooping than merely encrypting SNI. This is misleading: It should be noted that HTTP/2 introduces the Alt-SVC method for upgrading the connection from HTTP/1 to either unencrypted or encrypted HTTP/2. If the initial HTTP/1 request is unencrypted, the destination alternate service name can be identified before the communication is potentially upgraded to encrypted HTTP/2 transport. RFC 8164 defines the use of Alt-Svc [check capitalization] for opportunistically upgrading to an encrypted (and authenticated!) transport. The claim here that the service name can be identified is perhaps correct, but also unnecessary, since the alternative is contacted using the SNI of the original (as defined in RFC 7838). 6.3 As I mentioned in a previous review, ALPN is not encrypted in TLS 1.3. The correct statement would be that ALPN options are available to the network (just like SNI), but the selection by the server is not. I'm still not sure what use cases this datum drives though. 6.4 This mentions nothing of padding. Padding is available in HTTP/2 and TLS 1.3, plus many other protocols. It at least deserves some recognition, even if it isn't widely deployed (outside of some relatively specialized uses, that is). There's a whole RFC on traffic analysis and countermeasures missing from our dialogue here, but a mention is probably wise.
- draft-mm-wg-effect-encrypt-13 Sections 6.2-6.4 Martin Thomson
- Re: draft-mm-wg-effect-encrypt-13 Sections 6.2-6.4 Spencer Dawkins at IETF