IETF Logo Mail Archive

Re: [saag] Ubiquitous Encryption: content filtering

Tom Ritter <tom@ritter.vg> Wed, 24 June 2015 00:08 UTC

Return-Path: <tom@ritter.vg>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BC9AA1B2A44 for <saag@ietfa.amsl.com>; Tue, 23 Jun 2015 17:08:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.379
X-Spam-Level:
X-Spam-Status: No, score=-1.379 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I9jCus-CPnDi for <saag@ietfa.amsl.com>; Tue, 23 Jun 2015 17:08:58 -0700 (PDT)
Received: from mail-qg0-x234.google.com (mail-qg0-x234.google.com [IPv6:2607:f8b0:400d:c04::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A7B131B2A40 for <saag@ietf.org>; Tue, 23 Jun 2015 17:08:58 -0700 (PDT)
Received: by qged89 with SMTP id d89so9102531qge.0 for <saag@ietf.org>; Tue, 23 Jun 2015 17:08:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ritter.vg; s=vg; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; bh=PoJ4ylpktJqQmmX3OVecqb3Mr5Lm0NjQkX2sFZOfVz4=; b=s0FjHs1HchNJ4/ZSxC47akrN8jNtfpSk5SbsBotiwu1QYluIrK+SKrRiTM6/DEpcHP H7/C4IfFEQkT2ciWaM7SWhH8syyiLWjwPf7PBi/a8pbbpnaWbLyMvIMnMlAihad8SqNU bXjC0RTiCU9lz5+2UBA3mciETVWoNQi0IJSPo=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type:content-transfer-encoding; bh=PoJ4ylpktJqQmmX3OVecqb3Mr5Lm0NjQkX2sFZOfVz4=; b=NoeIve8Y1sMvBNlQf2VI3KZtCs5335Z4RRfThMVfHMbfTBlzo+Turr4HGI6RB9rTFU WQFfhP2Yd/J8VXbDE5G6zIHcnTHm3cSqihM5SKDSDhkoXl2i/gfAHg4IplJEg4J/vcnr TiBh8dOJW/wrcHh/FlwAeS2bsnfeAT6xuenup45AWmLi0kZklD1E7E/wWhJOaArgWCEZ tgYbmrnxG4JU+GyBZYIchLSWRukn7W29xHqiOUlGEEN2fzzrq+qn6ru+R59l6Cn78oHC L0OYD/DcOLdNfFwO6pacRvzwnyyyR/o0cBVXBlLK+TuD4KU9FzIkUEVP9zJ3uqHiTWoF Rq0w==
X-Gm-Message-State: ALoCoQknPEvhUh/CcnQHdRpOP/gOBSjkVVAIZlV7chAmXlcWoZW225bNVNOFrACqQtg0iW0lkowk
X-Received: by 10.140.29.55 with SMTP id a52mr46977999qga.25.1435104537837; Tue, 23 Jun 2015 17:08:57 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.140.51.103 with HTTP; Tue, 23 Jun 2015 17:08:38 -0700 (PDT)
In-Reply-To: <DE85F7A6-A8F6-48FA-8AAA-EF8ECE17B73E@gsma.com>
References: <99DC814A-2B7D-4802-A1C7-399E77F37BD7@gsma.com> <CABtrr-U9kLfq4GQbWSgPN=wCD=Cdi0uQ+bQqXj35j+PFtuE8Pg@mail.gmail.com> <A4BAAB326B17CE40B45830B745F70F108E070156@VOEXM17W.internal.vodafone.com> <55844743.4030300@cs.tcd.ie> <55886F38.4030906@bbn.com> <20150622211207.GM6117@localhost> <DM2PR0301MB06554ECDB1166C32CF70366CA8A10@DM2PR0301MB0655.namprd03.prod.outlook.com> <CA+cU71ksYZpzg_7jX1xz3aqg-ZVMC-22hCevATrgmHj3h5bVrA@mail.gmail.com> <DE85F7A6-A8F6-48FA-8AAA-EF8ECE17B73E@gsma.com>
From: Tom Ritter <tom@ritter.vg>
Date: Tue, 23 Jun 2015 17:08:38 -0700
Message-ID: <CA+cU71mretXQLY0ym1bBRfWceXJmt6RZAJZguCOH7hipgRQLuw@mail.gmail.com>
To: Natasha Rooney <nrooney@gsma.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/saag/tRf9FSainguZRKtoAl6Uz5Oodt4>
Cc: "saag@ietf.org" <saag@ietf.org>
Subject: Re: [saag] Ubiquitous Encryption: content filtering
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Jun 2015 00:08:59 -0000

On 23 June 2015 at 01:47, Natasha Rooney <nrooney@gsma.com> wrote:
> Thanks guys for this - and sorry for the on-list tech check: but, isn’t SNI
> configured by the content server. So, if I have run https://evil.com, can’t
> I just, not use SNI?

No.  While you can indeed disable SNI on your server, that will make
no difference if clients send your name in the SNI.  What you need to
do to protect against filtering is configure clients to not send SNI.
Which would never be done (because the connection would fail) unless
the client knows the connection to the server in question will succeed
without it.

-tom

v2.23.0 | Report a Bug | By Email