IETF Logo Mail Archive

Re: [saag] Ubiquitous Encryption: content filtering

Tom Ritter <tom@ritter.vg> Tue, 23 June 2015 04:44 UTC

Return-Path: <tom@ritter.vg>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0D2A61A0275 for <saag@ietfa.amsl.com>; Mon, 22 Jun 2015 21:44:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.379
X-Spam-Level:
X-Spam-Status: No, score=-1.379 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9MBDxZhmv2E6 for <saag@ietfa.amsl.com>; Mon, 22 Jun 2015 21:44:31 -0700 (PDT)
Received: from mail-qg0-x231.google.com (mail-qg0-x231.google.com [IPv6:2607:f8b0:400d:c04::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 159B51A0270 for <saag@ietf.org>; Mon, 22 Jun 2015 21:44:31 -0700 (PDT)
Received: by qged89 with SMTP id d89so60051046qge.0 for <saag@ietf.org>; Mon, 22 Jun 2015 21:44:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ritter.vg; s=vg; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=/7dOzq8qQK9ZXrj+AoTMNeSBsyndAmhYaqJQc3D5r+M=; b=U2Zmk/nsQMpN0GcmZNUQvJJWLtRpTo0nCYueOtagVswNDwU15eKmXL5982/BenqjWK 3I8T/E6IV/1dhbiwn4axsHG5gpkgaNnA7/IpYwOlTqcdPyTwg2Azek1a1sfaETONE+VY joTd4PKYQ/425Cmx/0HEi9V0CpDolFk/Bl4JQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=/7dOzq8qQK9ZXrj+AoTMNeSBsyndAmhYaqJQc3D5r+M=; b=W9pnnkzCPrHTjz4FyGcN0n7rOYNSRVNTtc12UqvsUTbtCoCiyMJGKFkIZvFQ/n43O/ Tpx6q+VJBGQaqmu6fKKoI6dV5Wl9gtAUYuvl7n1R2DPyBXVcT412mSEclbWqM2mMwFGD WUcsa9gSaFeDhHNssaY4tjyqO34pL1vxfd8WjE/F/pFTC37KxaLWGS6jOcT7Ay37Ix9h xPCSNTt38X9lK7p9u1CoNK7e/dG4z+/CGyQ40eTXrvG7m9+9pb/rwN2BOWavkyfGhsGx lKoZT042KKj/lLfSXoYCG7ACdYU7jSuNdQROWbFdLrlVV+SbovQKLzlewvq3MmX/Lmgq iSGA==
X-Gm-Message-State: ALoCoQlO7hi+UJz0OOb04oqAy79aOxkwD4jHqXmXEqrTvG4gOwC/RtRarOXy2yKlqVap65KS5ZPu
X-Received: by 10.55.56.213 with SMTP id f204mr69622899qka.78.1435034670308; Mon, 22 Jun 2015 21:44:30 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.140.51.103 with HTTP; Mon, 22 Jun 2015 21:44:10 -0700 (PDT)
In-Reply-To: <DM2PR0301MB06554ECDB1166C32CF70366CA8A10@DM2PR0301MB0655.namprd03.prod.outlook.com>
References: <99DC814A-2B7D-4802-A1C7-399E77F37BD7@gsma.com> <CABtrr-U9kLfq4GQbWSgPN=wCD=Cdi0uQ+bQqXj35j+PFtuE8Pg@mail.gmail.com> <A4BAAB326B17CE40B45830B745F70F108E070156@VOEXM17W.internal.vodafone.com> <55844743.4030300@cs.tcd.ie> <55886F38.4030906@bbn.com> <20150622211207.GM6117@localhost> <DM2PR0301MB06554ECDB1166C32CF70366CA8A10@DM2PR0301MB0655.namprd03.prod.outlook.com>
From: Tom Ritter <tom@ritter.vg>
Date: Mon, 22 Jun 2015 23:44:10 -0500
Message-ID: <CA+cU71ksYZpzg_7jX1xz3aqg-ZVMC-22hCevATrgmHj3h5bVrA@mail.gmail.com>
To: Christian Huitema <huitema@microsoft.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/saag/fORXJzQyKDupKPRuteW9v6WeQlM>
Cc: "saag@ietf.org" <saag@ietf.org>
Subject: Re: [saag] Ubiquitous Encryption: content filtering
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Jun 2015 04:44:32 -0000

On 22 June 2015 at 16:24, Christian Huitema <huitema@microsoft.com> wrote:
> If the site used a shared address, then the TLS packets contain a clear text SNI, and firewall magic could drop these connections.
>
> I am not very happy about the clear text SNI, but it does not seem to be going away any time soon.

Many of us aren't, as it's been used at the nation level for
censorship. We're working on TLS 1.3, and our hope now is that it will
have the capability to do encrypted SNI through the use of pre-shared
keys provided over (e.g.) DNS or a prior connection.

DNS leaks it also, but it's already possible to configure a local
unbound instance to talk to a remote resolver over TLS; so that
protocol a way forward for DNS Privacy (which is also being worked on)
that already has some running code.

-tom

v2.23.0 | Report a Bug | By Email