IETF Logo Mail Archive

Re: [saag] Ubiquitous Encryption: content filtering

Natasha Rooney <nrooney@gsma.com> Tue, 23 June 2015 08:47 UTC

Return-Path: <nrooney@gsma.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 753801A9238 for <saag@ietfa.amsl.com>; Tue, 23 Jun 2015 01:47:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2HX9lT1MDYX3 for <saag@ietfa.amsl.com>; Tue, 23 Jun 2015 01:47:30 -0700 (PDT)
Received: from emea01-db3-obe.outbound.protection.outlook.com (mail-db3on0604.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe04::604]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AB46D1A9239 for <saag@ietf.org>; Tue, 23 Jun 2015 01:47:29 -0700 (PDT)
Received: from HE1PR04MB1033.eurprd04.prod.outlook.com (10.162.26.142) by HE1PR04MB1036.eurprd04.prod.outlook.com (10.162.26.145) with Microsoft SMTP Server (TLS) id 15.1.195.15; Tue, 23 Jun 2015 08:47:13 +0000
Received: from HE1PR04MB1033.eurprd04.prod.outlook.com ([10.162.26.142]) by HE1PR04MB1033.eurprd04.prod.outlook.com ([10.162.26.142]) with mapi id 15.01.0195.005; Tue, 23 Jun 2015 08:47:13 +0000
From: Natasha Rooney <nrooney@gsma.com>
To: Tom Ritter <tom@ritter.vg>
Thread-Topic: [saag] Ubiquitous Encryption: content filtering
Thread-Index: AQHQqZyD4d9shmwZoUiA42dbZLPz/J2zz0uAgAAQJoCAACwngIAE9FYAgAANCgCAAANWAIAAevYAgABD5wA=
Date: Tue, 23 Jun 2015 08:47:13 +0000
Message-ID: <DE85F7A6-A8F6-48FA-8AAA-EF8ECE17B73E@gsma.com>
References: <99DC814A-2B7D-4802-A1C7-399E77F37BD7@gsma.com> <CABtrr-U9kLfq4GQbWSgPN=wCD=Cdi0uQ+bQqXj35j+PFtuE8Pg@mail.gmail.com> <A4BAAB326B17CE40B45830B745F70F108E070156@VOEXM17W.internal.vodafone.com> <55844743.4030300@cs.tcd.ie> <55886F38.4030906@bbn.com> <20150622211207.GM6117@localhost> <DM2PR0301MB06554ECDB1166C32CF70366CA8A10@DM2PR0301MB0655.namprd03.prod.outlook.com> <CA+cU71ksYZpzg_7jX1xz3aqg-ZVMC-22hCevATrgmHj3h5bVrA@mail.gmail.com>
In-Reply-To: <CA+cU71ksYZpzg_7jX1xz3aqg-ZVMC-22hCevATrgmHj3h5bVrA@mail.gmail.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.2098)
authentication-results: ritter.vg; dkim=none (message not signed) header.d=none;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [212.31.90.49]
x-microsoft-exchange-diagnostics: 1; HE1PR04MB1036; 5:bNVPZx87pEiIXPI6h1V9XNpiFLmrWSDvIeUNGiZ6BB7Fxf2bzHPX5+oTVU0XHLJ0RugufdclWgkDdurMtG3180Q+bMxbHFpYpc3q6JxCbHPlZN1j0i13Jakz6h1a54uwv94QTIDfOuqdTNj4qbrnpg==; 24:1XJCdcIvAm5e/ATnjuxIhEpB+NEc+wHhEmNV4rt3KDe6L8UMzBIC7WQzrEgXlbBx+l689ln/XMb+/5OhVKVy+gfAZABGo4Q7lsvXjuUNKXk=; 20:aczuh0QSm8S8kKWGVJCHSxmLnnGNO6M1CvgvYce+oJu3Ps2RIGp9tn86rTEFsz/lvNlt54cY5UTSZglHiNdeYA==
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:HE1PR04MB1036;
x-microsoft-antispam-prvs: <HE1PR04MB1036588E720EC697855D6EF2C3A00@HE1PR04MB1036.eurprd04.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(5005006)(3002001); SRVR:HE1PR04MB1036; BCL:0; PCL:0; RULEID:; SRVR:HE1PR04MB1036;
x-forefront-prvs: 06167FAD59
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(377454003)(24454002)(5890100001)(50226001)(46102003)(93886004)(16236675004)(62966003)(122556002)(77156002)(83716003)(66066001)(189998001)(102836002)(110136002)(2900100001)(77096005)(5001960100002)(2950100001)(15975445007)(106116001)(82746002)(19617315012)(33656002)(57306001)(87936001)(2656002)(76176999)(92566002)(40100003)(5002640100001)(36756003)(19580405001)(86362001)(19580395003)(50986999); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR04MB1036; H:HE1PR04MB1033.eurprd04.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
Content-Type: multipart/alternative; boundary="_000_DE85F7A6A8F648FA8AAAEF8ECE17B73Egsmacom_"
MIME-Version: 1.0
X-OriginatorOrg: gsma.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Jun 2015 08:47:13.7066 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72a4ff82-fec3-469d-aafb-ac8276216699
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR04MB1036
X-MS-Exchange-CrossPremises-AuthAs: Internal
X-MS-Exchange-CrossPremises-AuthMechanism: 04
X-MS-Exchange-CrossPremises-AuthSource: HE1PR04MB1033.eurprd04.prod.outlook.com
X-MS-Exchange-CrossPremises-SCL: 1
X-MS-Exchange-CrossPremises-messagesource: StoreDriver
X-MS-Exchange-CrossPremises-BCC:
X-MS-Exchange-CrossPremises-originalclientipaddress: 212.31.90.49
X-MS-Exchange-CrossPremises-avstamp-service: 1.0
X-MS-Exchange-CrossPremises-disclaimer-hash: 78ca8040c6722e32c2f5b0a45bf37e74b9409d645a53be96aa19958e0cee0f00
X-MS-Exchange-CrossPremises-antispam-scancontext: DIR:Originating; SFV:NSPM; SKIP:0;
X-MS-Exchange-CrossPremises-processed-by-journaling: Journal Agent
X-OrganizationHeadersPreserved: HE1PR04MB1036.eurprd04.prod.outlook.com
Archived-At: <http://mailarchive.ietf.org/arch/msg/saag/dkuqG81mfR2ftVhbwWegYzU8DEw>
Cc: "saag@ietf.org" <saag@ietf.org>
Subject: Re: [saag] Ubiquitous Encryption: content filtering
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Jun 2015 08:47:40 -0000

Thanks guys for this - and sorry for the on-list tech check: but, isn’t SNI configured by the content server. So, if I have run https://evil.com, can’t I just, not use SNI?

Natasha


Natasha Rooney | Web Technologist | GSMA | nrooney@gsma.com<mailto:nrooney@gsma.com> | +44 (0) 7730 219 765 | @thisNatasha | Skype: nrooney@gsm.org<mailto:nrooney@gsm.org>
Tokyo, Japan


On Jun 23, 2015, at 6:44 AM, Tom Ritter <tom@ritter.vg<mailto:tom@ritter.vg>> wrote:

On 22 June 2015 at 16:24, Christian Huitema <huitema@microsoft.com<mailto:huitema@microsoft.com>> wrote:
If the site used a shared address, then the TLS packets contain a clear text SNI, and firewall magic could drop these connections.

I am not very happy about the clear text SNI, but it does not seem to be going away any time soon.

Many of us aren't, as it's been used at the nation level for
censorship. We're working on TLS 1.3, and our hope now is that it will
have the capability to do encrypted SNI through the use of pre-shared
keys provided over (e.g.) DNS or a prior connection.

DNS leaks it also, but it's already possible to configure a local
unbound instance to talk to a remote resolver over TLS; so that
protocol a way forward for DNS Privacy (which is also being worked on)
that already has some running code.

-tom

_______________________________________________
saag mailing list
saag@ietf.org<mailto:saag@ietf.org>
https://www.ietf.org/mailman/listinfo/saag


This email and its attachments are intended for the above named only and may be confidential. If they have come to you in error you must take no action based on them, nor must you copy or show them to anyone; please reply to this email or call +44 207 356 0600 and highlight the error.

v2.23.0 | Report a Bug | By Email