Re: [TLS] Tonight's Encrypted SNI Hangout Session
Yoav Nir <ynir.ietf@gmail.com> Tue, 14 November 2017 02:43 UTC
Return-Path: <ynir.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 87B3C129B4D for <tls@ietfa.amsl.com>; Mon, 13 Nov 2017 18:43:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RSg7P5Pm443O for <tls@ietfa.amsl.com>; Mon, 13 Nov 2017 18:43:33 -0800 (PST)
Received: from mail-pg0-x22f.google.com (mail-pg0-x22f.google.com [IPv6:2607:f8b0:400e:c05::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BC62B129B97 for <tls@ietf.org>; Mon, 13 Nov 2017 18:43:07 -0800 (PST)
Received: by mail-pg0-x22f.google.com with SMTP id t10so13199440pgo.3 for <tls@ietf.org>; Mon, 13 Nov 2017 18:43:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=z1WzCs8SsZMUurSHuYvUwdI1zQnYCP2zIztMIFujoEw=; b=LxQ115W2akF7weIgwvvyyHeUuyubHlBcgBtC5m+7So2cW2XH5kEe3ulcf4XDbGRpEb 4g4aBe5zwqjxkxJOykSWuqRLma3ughF7pHEd/mnizsdHz8YwrudLF03qKZvvzu4Ixu9W Oh8OmoQ3uJIIYzJK6+nj8HE/snnY53a6HrWOLxd3NZj3760GGtzDyrHfVRziYUK8d/9c LxcNhAklNSd5KuNJ8NSmBYvzai1J+5NK+YUegKm4yuxMQM4mG/wI0aGyGZH56cWO+r9I 0oJiMcazK+nqQYnYe4bRsu3olcYtvx7jyx5rB503VDBn6bXyeF+xsG2isz31H5/EUGno NJJA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=z1WzCs8SsZMUurSHuYvUwdI1zQnYCP2zIztMIFujoEw=; b=om9gQ7gs+BxkoDVYdvTPUE1ZprqxRsCQVaVmF65/LgOZnq7/oE3JY4wYOuX/Ux+jCz Vf2bz+1de6yYjTZ8SuO80NV7sZW/qq/dsMLIE4rke/Om6qckFG8w0lncW55JDp/sf3Xe XmkII6pX4n6z1THxSQMzX5YuxJwa2+cd6dmvo1ETFvv8aaZtOkP+oqdgx7v0nVCB1JW4 JdGw87sgJyS1RifRa2vPQx0PHfEkMu/6oUMoPz7AmxaPfOIpSfejKx2XGBSO6rNCKV7F KqT62ggKMF0Gx8qV1DSAWV4fbUU6lBJzn54G5kAdNl3hGaC0yjjt5Sb8HAdzp5TvabBW Pl0Q==
X-Gm-Message-State: AJaThX4snH5mbHkohEt5tbnsl2adadiPb3WCDZCGpaz9O2HD662Nmady R7HH5rcKuDoOJ9lVaptoBFceFs9J
X-Google-Smtp-Source: AGs4zMY8ez99eoaI7B4E0h/2vVcpWSG4ljPDSUF23CDCoyApE4hYFrB3CCsyb/npbVH2wt96qrmobw==
X-Received: by 10.84.129.195 with SMTP id b61mr10916728plb.82.1510627387307; Mon, 13 Nov 2017 18:43:07 -0800 (PST)
Received: from ?IPv6:2001:67c:370:128:ac00:6e53:e446:745? ([2001:67c:370:128:ac00:6e53:e446:745]) by smtp.gmail.com with ESMTPSA id o88sm18342794pfj.175.2017.11.13.18.43.05 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 13 Nov 2017 18:43:06 -0800 (PST)
From: Yoav Nir <ynir.ietf@gmail.com>
Message-Id: <4890DB57-90E8-4F95-8DAF-1765CF491588@gmail.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_E678F8C9-25DE-4093-92F4-6289747147F7"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 11.1 \(3445.4.7\))
Date: Tue, 14 Nov 2017 10:43:20 +0800
In-Reply-To: <CA+cU71nf1qpCNkRzUgm3Xh_Y9P4zTFD3sD2wp6xPutdLPZzB9A@mail.gmail.com>
Cc: Bret Jordan <jordan.ietf@gmail.com>, "tls@ietf.org" <tls@ietf.org>
To: Tom Ritter <tom@ritter.vg>
References: <CAPCpN4t4m9M6u=E29u=TQnBScjRTfA91K9pdyPG3nvyi+GHC3w@mail.gmail.com> <CA+cU71nf1qpCNkRzUgm3Xh_Y9P4zTFD3sD2wp6xPutdLPZzB9A@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.4.7)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/2YcXxVbcLyULTS5w92ohsHrjmLg>
Subject: Re: [TLS] Tonight's Encrypted SNI Hangout Session
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Nov 2017 02:43:35 -0000
> On 14 Nov 2017, at 0:00, Tom Ritter <tom@ritter.vg> wrote: > > Are you also interested in collecting reports of where SNI is used to > censor? Or the list of network vendors that support filtering and > manipulating traffic based on the value? I don’t think naming and shaming is a goal here. > In general, the bad uses of SNI are harder to enumerate because people > aren't willing to come to the WG and explain how they use SNI to > selectively break or censor the internet for their citizens/users. I don’t think that’s true. I used to work for a vendor of a network firewall, and I can explain how this is done. Inspecting the ClientHello to find the SNI for filtering is a weak way to do filtering. It’s also a light-weight way. So if I want to filter Wikipedia, I match SNIs to "*.wikipedia.org” and I have my filtering. Depending on how many cycles I can spare, this is a cost-effective method. We have evidence that it’s been used for filtering, but sophisticated users can circumvent this - they can configure the browser to use TLS 1.0 and not send SNI at all. More modern firewalls make a probing connection to the server, sending a ClientHello that is almost identical to the one sent by the real client and checking the returned certificate. The names specified in that certificate are used for the filtering. That information is cached so that not every real ClientHello has to wait for a probing connection. I don’t know if any vendor has made this scale to filter an entire country’s browsing, but this is considered to be more reliable than filtering by SNI. > We > have a few confirmed cases, anecdotal evidence, and lots of evidence > of censors being technically applied by whatever means is available. > > But when you pile up all the administrators who will come to the WG > and say "This really frustrates me and makes my job harder" you're > going to have a much bigger pile than the users (or even technical > advocates like myself) we can bring in and say "Plaintext SNI is > harming the Internet”. IMO the real game-changer will be having an encrypted part to the ClientHello. If all ClientHellos are different, this defeats caching. > >> Side question, it feels like this effort could represent a lot of work and >> require a lot of dedicated cycles. Does it make sense to continue this >> effort inside of the TLS WG? If it does, will the WG give us the time, >> mindshare, and cycles to focus on it (just asking the hard question)? > > In August we adopted the draft, so the answer is "Yes". > > -tom
- [TLS] Tonight's Encrypted SNI Hangout Session Bret Jordan
- Re: [TLS] Tonight's Encrypted SNI Hangout Session Tom Ritter
- Re: [TLS] Tonight's Encrypted SNI Hangout Session Ilari Liusvaara
- Re: [TLS] Tonight's Encrypted SNI Hangout Session David P
- Re: [TLS] Tonight's Encrypted SNI Hangout Session Ilari Liusvaara
- Re: [TLS] Tonight's Encrypted SNI Hangout Session Christian Huitema
- Re: [TLS] Tonight's Encrypted SNI Hangout Session Salz, Rich
- Re: [TLS] Tonight's Encrypted SNI Hangout Session Bret Jordan
- Re: [TLS] Tonight's Encrypted SNI Hangout Session Yoav Nir
- Re: [TLS] Tonight's Encrypted SNI Hangout Session Bret Jordan
- Re: [TLS] Tonight's Encrypted SNI Hangout Session Flemming Andreasen
- Re: [TLS] Tonight's Encrypted SNI Hangout Session Sean Turner