Re: [TLS] DNS-based Encrypted SNI

"Short, Todd" <> Sat, 07 July 2018 02:17 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 10B74130E13 for <>; Fri, 6 Jul 2018 19:17:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.721
X-Spam-Status: No, score=-0.721 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=unavailable autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Y0KNr4-GVrr1 for <>; Fri, 6 Jul 2018 19:17:54 -0700 (PDT)
Received: from ( [IPv6:2620:100:9001:583::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 78D98130E20 for <>; Fri, 6 Jul 2018 19:17:53 -0700 (PDT)
Received: from pps.filterd ( []) by ( with SMTP id w672HprI020741; Sat, 7 Jul 2018 03:17:51 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=jan2016.eng; bh=gu5YSVj9PFlTKgMLejeseT+IwKiD18ZI7lDQI1sE+rA=; b=VdYHHeKlD0uQXVQOErglcPvYYzrNRVfBBItWiuSgZlqDXdY9yGZ0zh+iM+djT+gPhV1O d1dOiQ6UZxnFWQf3gy1pH8kb3DQ10tUlCpeSLXcYq4puE77uKp6hbQDNgz1YkILwHYwK kusgv79UuDAlk0tyHPsWppZ4zX4nhh+Q25sApJxQvDJVMoeNhNi4tyCxOd7SYOgMk/+H J1xeY3ObyjgTHWnyHEUOABUmT7RGGC0rKH2IfADVR91PXESL6Oe4QZWtejLdoR/lA6r/ VHMfO/XNKyo+oLbG4/zVBJPin/6rDGpkG6yValW5tyqni052scMWMRXk8f0PNL1smbga ag==
Received: from prod-mail-ppoint1 ( []) by with ESMTP id 2k1ucn3myk-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sat, 07 Jul 2018 03:17:51 +0100
Received: from pps.filterd ( []) by ( with SMTP id w6724c0s002374; Fri, 6 Jul 2018 22:17:50 -0400
Received: from ([]) by with ESMTP id 2jx57b30nn-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Fri, 06 Jul 2018 22:17:49 -0400
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1365.1; Fri, 6 Jul 2018 19:17:48 -0700
Received: from ([]) by ([]) with mapi id 15.00.1365.000; Fri, 6 Jul 2018 21:17:48 -0500
From: "Short, Todd" <>
To: Eric Rescorla <>
CC: "<>" <>, "Sniffen, Brian" <>
Thread-Topic: [TLS] DNS-based Encrypted SNI
Thread-Index: AQHUEl5BbRY0wnPzbU+tvvqDIqSVJKR94qgAgAUS64CAAA06gIAACdxX
Date: Sat, 07 Jul 2018 02:17:48 +0000
Message-ID: <>
References: <> <> <>, <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-ms-exchange-transport-fromentityheader: Hosted
Content-Type: multipart/alternative; boundary="_000_AE0160F7659347F7BB01261EA8F389CBakamaicom_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-07-06_07:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1806210000 definitions=main-1807070022
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-07-06_07:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1806210000 definitions=main-1807070025
Archived-At: <>
Subject: Re: [TLS] DNS-based Encrypted SNI
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 07 Jul 2018 02:17:58 -0000

(Pardon phone typos below.)
-Todd Short
// Sent from my iPhone
// "One if by land, two if by sea, three if by the Internet."

On Jul 6, 2018, at 4:43 PM, Eric Rescorla <<>> wrote:

On Fri, Jul 6, 2018 at 12:55 PM, Short, Todd <<>> wrote:
Fundamentally, unless this type of protection is baked into the protocol from the beginning, and is not an add-on option, any one/thing in the path can prevent the use of optional security features.

Don’t want people to access site XYZ? Block DNSSEC, block _ESNI DNS requests/responses, block the use of ESNI, etc.

These are sort of different things. It's true that if you control DNS, it's basically game over, which is why this is most attractive with DOH to some location not controlled by the censor. However, if you *do* have DOH, then the client shouldn't fall back, with the result that blocking ESNI blocks all ESNI-enabled sites, not just those which are sensitive

Which makes this mechanism potentially useless. If it was mandatory in TLSv1.3, then trying to block encrypted SNI would be break a lot more sites, and might have to be allowed.

A firewall can also use the record_digest to determine the destination, without even decrypting the ESNI. It just calculates the possible record_digests of the blocked sites; since the information is public. This will make it appear that ESNI is supported (for legal sites), but still block the use to illegal sites.

Or even do a reverse-DNS lookup on the destination IP, discover all the domains there, and then calculate the possible record_digests to see where the user is going.

This could be mitigated by having the same ESNIKeys for different websites, but that means the "Split Mode Topology" is broken as the record_digest cannot be used by the Client-Facing Server to select a Backend Server.

I think you may be misunderstanding the design here. All of the ESNI-enabled sites behind the same client-facing server (split mode or not) use the same keys, and hence have the same record_digest. Thus, record_digest is just an alias for anonymity set. The client-facing server does not use the record_digest to select the backend server. It uses the record_digest to find which of the keys it has offered and then uses that key to decrypt the true SNI. Note that in some naive sense you don't need a record_digest at all. It's just there to facilitate the client-facing server having multiple valid ESNI key sets (e.g., for rollover) at one time.

It's implied that record_digest is/can be used to select the "origin server". If not, then the wording should be clarified.

Again, because this is optional, the (initial) set of servers that use ESNI will be small, and can be reasonably determined. The anonymity set, at the least, can be reduced by destination address via reverse-DNS. CDNs will resolve domains to different IPs (on various metrics) which could leak information to help narrow down the actual domain. So, it still can expose a set of possible destination domains that the user is attempting to reach.

My fear is that there's enough potential leakage that something should be mentioned in security considerations.

Ah, but if the CDN maps the shared-ESNIKeys domains to be different IPs, then doesn’t matter. This is not the case, as the IP address can now be used along with the ESNIKeys to know what the final destination is.

Yes, you need to use the same IPs.


-Todd Short
// "One if by land, two if by sea, three if by the Internet."

On Jul 3, 2018, at 10:26 AM, Sniffen, Brian <<>> wrote:

Looks neat.

1) TFO DOS vector: is the idea servers will disable TFO under strain but not be able to disable ESNI?

2) “clients might opt to attempt captive portal detection to see if they are in the presence of a MITM proxy, and if so disable ESNI.”

If I’m operating a great firewall, I can use this to discover dissidents, right?  Either they send me dangerous SNI values or they are configured to not disable ESNI, and taking the fifth is fatal. To protect them, I think nobody can have this mode.

3) How many bits does this offer? Hiding in a set of a million uniform hosts is 20 bits, and the nonuniformity will accrue to the adversary’s benefit. Active probing will unmask visitors to dissident sites.

I worry that this tool is so weak against a GFW-style adversary for the purpose of allowing dissident access to restricted web sites that it will be dangerous if released. But maybe I misunderstand the purpose. If this is just to keep Western ISPs from monkeying with traffic, sure, ship it.  Labelling the encryption with its strength as applied, or showing CDNs and ISPs how to work out some bounds, seems one way to help users understand whether this can help them or put them more at risk.

Brian Sniffen

TLS mailing list<><>