Re: [perpass] DNS confidentiality

Yoav Nir <ynir@checkpoint.com> Wed, 13 November 2013 05:23 UTC

Return-Path: <ynir@checkpoint.com>
X-Original-To: perpass@ietfa.amsl.com
Delivered-To: perpass@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 992A121F9DB8 for <perpass@ietfa.amsl.com>; Tue, 12 Nov 2013 21:23:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.534
X-Spam-Level:
X-Spam-Status: No, score=-10.534 tagged_above=-999 required=5 tests=[AWL=0.065, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9APkFxz8PZWl for <perpass@ietfa.amsl.com>; Tue, 12 Nov 2013 21:23:18 -0800 (PST)
Received: from smtp.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id 5F27011E80F6 for <perpass@ietf.org>; Tue, 12 Nov 2013 21:23:07 -0800 (PST)
Received: from DAG-EX10.ad.checkpoint.com ([194.29.34.150]) by smtp.checkpoint.com (8.13.8/8.13.8) with ESMTP id rAD5MTcU031349; Wed, 13 Nov 2013 07:22:34 +0200
X-CheckPoint: {52830ABE-0-1B221DC2-1FFFF}
Received: from IL-EX10.ad.checkpoint.com ([169.254.2.146]) by DAG-EX10.ad.checkpoint.com ([169.254.3.213]) with mapi id 14.03.0123.003; Wed, 13 Nov 2013 07:22:29 +0200
From: Yoav Nir <ynir@checkpoint.com>
To: Ted Lemon <mellon@fugue.com>
Thread-Topic: [perpass] DNS confidentiality
Thread-Index: AQHOuQI+/Pr09a4hmk+C3JQD1HfKoZnUjtMAgAGerYCAAAW+AIAAAWuAgEnlz4CAAHoWgIABW8uAgACX/oCAAAR/gIAAFWqAgAAq5AA=
Date: Wed, 13 Nov 2013 05:22:29 +0000
Message-ID: <335D1A6F-A44C-444A-9379-7D03D873F543@checkpoint.com>
References: <20131111121027.GA31723@sources.org> <CEA6999F.25B2C%gwiley@verisign.com> <CA+9kkMDTYZ8tKnGigojWQDuDM3K0uPyoW2fesH1ueAFbTZMBrQ@mail.gmail.com> <CABkgnnVuX3bV1XMKsY1g6GOkZmhfxo=Zt9iUryt0wt+9K8tFkA@mail.gmail.com> <5282D6A3.5060205@cs.tcd.ie> <4AE06389-A46C-4F14-849E-62DC9FA7F128@fugue.com>
In-Reply-To: <4AE06389-A46C-4F14-849E-62DC9FA7F128@fugue.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [172.31.21.64]
x-kse-antivirus-interceptor-info: scan successful
x-kse-antivirus-info: Clean
Content-Type: text/plain; charset="us-ascii"
Content-ID: <2234D8D98E88F940B87C903B65188616@ad.checkpoint.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: perpass <perpass@ietf.org>
Subject: Re: [perpass] DNS confidentiality
X-BeenThere: perpass@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "The perpass list is for discussion of the privacy properties of IETF protocols and concrete ways in which those could be improved. " <perpass.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/perpass>, <mailto:perpass-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/perpass>
List-Post: <mailto:perpass@ietf.org>
List-Help: <mailto:perpass-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/perpass>, <mailto:perpass-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Nov 2013 05:23:22 -0000

On Nov 13, 2013, at 4:48 AM, Ted Lemon <mellon@fugue.com> wrote:

> On Nov 12, 2013, at 8:32 PM, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote:
>> The converse argument was just made on the TLS list yesterday to
>> the effect that there's no point in TLS 1.3 (or a TLS 1.2 extension)
>> encrypting SNI because its the same as the obviously cleartext DNS
>> query in many cases.
> 
> That's a terrible argument.   Then every eavesdropping issue becomes a chicken-and-egg problem, because nobody is willing to go first.

I'm one of those that made that argument. I do think we should fix this in TLS, but realistically, browsers are going to continue sending SNI in the clear for at least another 10 years. Yes, we should fix this now, because whenever we start, that's when the 10-year countdown begins. The same is true for any modification to DNS, except the timeframe is likely to be even longer.

Yoav

[1] http://www.ietf.org/mail-archive/web/tls/current/msg10555.html