IETF Logo Mail Archive

Re: [TLS] Final nail in the coffin for cleartext SNI/ALPN in TLS 1.3

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 12 November 2013 19:10 UTC

Return-Path: <dkg@fifthhorseman.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A8FA11E8138 for <tls@ietfa.amsl.com>; Tue, 12 Nov 2013 11:10:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.299
X-Spam-Level:
X-Spam-Status: No, score=-2.299 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, J_CHICKENPOX_66=0.6]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id feDQYypRrdUP for <tls@ietfa.amsl.com>; Tue, 12 Nov 2013 11:10:29 -0800 (PST)
Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) by ietfa.amsl.com (Postfix) with ESMTP id 3A17E11E810F for <tls@ietf.org>; Tue, 12 Nov 2013 11:10:28 -0800 (PST)
Received: from [192.168.13.151] (lair.fifthhorseman.net [108.58.6.98]) by che.mayfirst.org (Postfix) with ESMTPSA id 2FDFAF986 for <tls@ietf.org>; Tue, 12 Nov 2013 14:10:26 -0500 (EST)
Message-ID: <52827D21.7090007@fifthhorseman.net>
Date: Tue, 12 Nov 2013 14:10:25 -0500
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Icedove/24.0
MIME-Version: 1.0
To: IETF TLS WG <tls@ietf.org>
References: <20131112185035.EBB631AA80@ld9781.wdf.sap.corp>
In-Reply-To: <20131112185035.EBB631AA80@ld9781.wdf.sap.corp>
X-Enigmail-Version: 1.6
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="FCVrJXVaned5SN7QNfcGXjFv8vI1qRjuW"
Subject: Re: [TLS] Final nail in the coffin for cleartext SNI/ALPN in TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Nov 2013 19:10:35 -0000

On 11/12/2013 01:50 PM, Martin Rex wrote:
> Browsers perform the reconnect fallback failures transparently and
> silently, and NSA hat their Foxacid servers in place to shoot down
> any TLSv1.3 requests they like with a TCP RST.

I note that you're talking about an active attacker here.

But in general, yes, any tool that silently performs a fallback to an
older version will not get any of the security enhancements offered by a
newer version.  This doesn't mewn we shouldn't try to add any security
enhancements to newer versions, though.  It means we should try to
figure out ways to discourage fallback, or to identify and isolate and
expose peers who require these fallback mechanisms.

> A single connection failure per client&server pair per day would be
> sufficient to elicit cleartext SNIs from clients & cleartext certificates
> from servers.

Yes, it would, i agree.  These mechanisms seem unlikely to protect the
requested identity of the server in the face of an active attacker.  If
we assume that the client has never connected to the server before (i.e.
no pre-cached server public keys, etc), then i don't see any way to
design a protocol that could hide the identity of the party that the
client is trying to reach from an active attacker who is willing to
cause connection failures.  Do you?

> We should design our protocol to provide security in a robust and
> resilient fashion, not in a brittle "weather permitting" fashion
> that is being suggested.

That's exactly what this discussion is trying to do.  It's clear that
the current SNI mechanism always leaks the requested server identity to
anyone on the network path.  The proposal to encrypt it with keys
derived from the as-yet-unauthenticated DH exchange will hide this
information from any passive attacker on the network path.  It even
allows the client to detect a failed connection (and possible requested
server name leak) when an active attacker attempts a MITM.  These are
both a clear improvements over the current situation.

If you have a proposal for a way to hide this information from everyone
on the network path, including active attackers who are willing to cause
connection failures, that would be an even better improvement.

	--dkg

v2.23.0 | Report a Bug | By Email