Re: [TLS] Final nail in the coffin for cleartext SNI/ALPN in TLS 1.3
Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 12 November 2013 19:10 UTC
Return-Path: <dkg@fifthhorseman.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A8FA11E8138 for <tls@ietfa.amsl.com>; Tue, 12 Nov 2013 11:10:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.299
X-Spam-Level:
X-Spam-Status: No, score=-2.299 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, J_CHICKENPOX_66=0.6]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id feDQYypRrdUP for <tls@ietfa.amsl.com>; Tue, 12 Nov 2013 11:10:29 -0800 (PST)
Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) by ietfa.amsl.com (Postfix) with ESMTP id 3A17E11E810F for <tls@ietf.org>; Tue, 12 Nov 2013 11:10:28 -0800 (PST)
Received: from [192.168.13.151] (lair.fifthhorseman.net [108.58.6.98]) by che.mayfirst.org (Postfix) with ESMTPSA id 2FDFAF986 for <tls@ietf.org>; Tue, 12 Nov 2013 14:10:26 -0500 (EST)
Message-ID: <52827D21.7090007@fifthhorseman.net>
Date: Tue, 12 Nov 2013 14:10:25 -0500
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Icedove/24.0
MIME-Version: 1.0
To: IETF TLS WG <tls@ietf.org>
References: <20131112185035.EBB631AA80@ld9781.wdf.sap.corp>
In-Reply-To: <20131112185035.EBB631AA80@ld9781.wdf.sap.corp>
X-Enigmail-Version: 1.6
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="FCVrJXVaned5SN7QNfcGXjFv8vI1qRjuW"
Subject: Re: [TLS] Final nail in the coffin for cleartext SNI/ALPN in TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Nov 2013 19:10:35 -0000
On 11/12/2013 01:50 PM, Martin Rex wrote: > Browsers perform the reconnect fallback failures transparently and > silently, and NSA hat their Foxacid servers in place to shoot down > any TLSv1.3 requests they like with a TCP RST. I note that you're talking about an active attacker here. But in general, yes, any tool that silently performs a fallback to an older version will not get any of the security enhancements offered by a newer version. This doesn't mewn we shouldn't try to add any security enhancements to newer versions, though. It means we should try to figure out ways to discourage fallback, or to identify and isolate and expose peers who require these fallback mechanisms. > A single connection failure per client&server pair per day would be > sufficient to elicit cleartext SNIs from clients & cleartext certificates > from servers. Yes, it would, i agree. These mechanisms seem unlikely to protect the requested identity of the server in the face of an active attacker. If we assume that the client has never connected to the server before (i.e. no pre-cached server public keys, etc), then i don't see any way to design a protocol that could hide the identity of the party that the client is trying to reach from an active attacker who is willing to cause connection failures. Do you? > We should design our protocol to provide security in a robust and > resilient fashion, not in a brittle "weather permitting" fashion > that is being suggested. That's exactly what this discussion is trying to do. It's clear that the current SNI mechanism always leaks the requested server identity to anyone on the network path. The proposal to encrypt it with keys derived from the as-yet-unauthenticated DH exchange will hide this information from any passive attacker on the network path. It even allows the client to detect a failed connection (and possible requested server name leak) when an active attacker attempts a MITM. These are both a clear improvements over the current situation. If you have a proposal for a way to hide this information from everyone on the network path, including active attackers who are willing to cause connection failures, that would be an even better improvement. --dkg
- Re: [TLS] Final nail in the coffin for cleartext … Martin Rex
- Re: [TLS] Final nail in the coffin for cleartext … Martin Rex
- [TLS] Final nail in the coffin for cleartext SNI/… Ralf Skyper Kaiser
- Re: [TLS] Final nail in the coffin for cleartext … Watson Ladd
- Re: [TLS] Final nail in the coffin for cleartext … Ralf Skyper Kaiser
- Re: [TLS] Final nail in the coffin for cleartext … Yoav Nir
- Re: [TLS] Final nail in the coffin for cleartext … Salz, Rich
- Re: [TLS] Final nail in the coffin for cleartext … Ryan Hurst
- Re: [TLS] Final nail in the coffin for cleartext … Martin Rex
- Re: [TLS] Final nail in the coffin for cleartext … Daniel Kahn Gillmor
- Re: [TLS] Final nail in the coffin for cleartext … Ralf Skyper Kaiser
- Re: [TLS] Final nail in the coffin for cleartext … Yoav Nir
- Re: [TLS] Final nail in the coffin for cleartext … Yoav Nir
- Re: [TLS] Final nail in the coffin for cleartext … Seth David Schoen
- Re: [TLS] Final nail in the coffin for cleartext … Ralf Skyper Kaiser
- Re: [TLS] Final nail in the coffin for cleartext … Watson Ladd
- Re: [TLS] Final nail in the coffin for cleartext … Salz, Rich
- Re: [TLS] Final nail in the coffin for cleartext … Yoav Nir
- Re: [TLS] Final nail in the coffin for cleartext … Martin Rex
- Re: [TLS] Final nail in the coffin for cleartext … Ralf Skyper Kaiser
- Re: [TLS] Final nail in the coffin for cleartext … Michael D'Errico
- Re: [TLS] Final nail in the coffin for cleartext … Jacob Appelbaum
- Re: [TLS] Final nail in the coffin for cleartext … Ralf Skyper Kaiser
- Re: [TLS] Final nail in the coffin for cleartext … Michael D'Errico
- Re: [TLS] Final nail in the coffin for cleartext … Ralf Skyper Kaiser
- Re: [TLS] Final nail in the coffin for cleartext … Martin Rex
- Re: [TLS] Final nail in the coffin for cleartext … Sean Leonard
- Re: [TLS] Final nail in the coffin for cleartext … Ralf Skyper Kaiser
- Re: [TLS] Final nail in the coffin for cleartext … Juho Vähä-Herttua
- Re: [TLS] Final nail in the coffin for cleartext … Yoav Nir
- Re: [TLS] Final nail in the coffin for cleartext … Ralf Skyper Kaiser
- Re: [TLS] Final nail in the coffin for cleartext … Phillip Hallam-Baker
- Re: [TLS] Final nail in the coffin for cleartext … Daniel Kahn Gillmor
- Re: [TLS] Final nail in the coffin for cleartext … Ralf Skyper Kaiser
- Re: [TLS] Final nail in the coffin for cleartext … Martin Rex
- Re: [TLS] Final nail in the coffin for cleartext … Daniel Kahn Gillmor
- Re: [TLS] Final nail in the coffin for cleartext … Juho Vähä-Herttua
- Re: [TLS] Final nail in the coffin for cleartext … Ralf Skyper Kaiser
- Re: [TLS] Final nail in the coffin for cleartext … Yoav Nir
- Re: [TLS] Final nail in the coffin for cleartext … Martin Rex
- Re: [TLS] Final nail in the coffin for cleartext … Martin Rex
- Re: [TLS] Final nail in the coffin for cleartext … Ralf Skyper Kaiser
- Re: [TLS] Final nail in the coffin for cleartext … Bodo Moeller
- Re: [TLS] Final nail in the coffin for cleartext … Marsh Ray
- Re: [TLS] Final nail in the coffin for cleartext … Ralf Skyper Kaiser
- Re: [TLS] Final nail in the coffin for cleartext … Geoffrey Keating