IETF Logo Mail Archive

Re: [TLS] Encrypted hellos (was Re: "Encrypted" SNI)

Dave Garrett <davemgarrett@gmail.com> Sat, 13 May 2017 05:23 UTC

Return-Path: <davemgarrett@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B3F24127B5A for <tls@ietfa.amsl.com>; Fri, 12 May 2017 22:23:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5cZpEt-I3Tjo for <tls@ietfa.amsl.com>; Fri, 12 May 2017 22:23:13 -0700 (PDT)
Received: from mail-qk0-x236.google.com (mail-qk0-x236.google.com [IPv6:2607:f8b0:400d:c09::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6CB6C12944A for <tls@ietf.org>; Fri, 12 May 2017 22:21:09 -0700 (PDT)
Received: by mail-qk0-x236.google.com with SMTP id y201so62667629qka.0 for <tls@ietf.org>; Fri, 12 May 2017 22:21:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:subject:date:user-agent:cc:references:in-reply-to :mime-version:content-transfer-encoding:message-id; bh=LoqyiocEvUm4wyf5Je90THIJtI40CZczKDSEXkMNsG4=; b=S7gMhmRw7nKrE9rPboCLjn9rVTWqMo0WD1TjtWm6ahQdy/CCjpmtoeXr4coxT3mGpc A9Ut9jDsD/buruIAjH0RUEpbLucf27d2ZwpuyuyswxieG4/GIJQRlo7FNSv8jPBMyWv7 5oEIaA2FNYamvEu25k5UUYACGDkihsJivTsYvEhmUObCI2rV+E8dUb0vc5KrMJRgH8yV tzWEfbQ/01Ryf69L0+lrGWZHB4JCMKvF+RV1hD7hayqJurW/g+u3HDTKINB1/UZ8gyRa PmuLvZiQBPmg853O73CcInAD6Y3VwyZ6CbVLU4NAoB7qgS5XzpeQ3Fk4S+/lDmTxbR5h u7sw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:user-agent:cc:references :in-reply-to:mime-version:content-transfer-encoding:message-id; bh=LoqyiocEvUm4wyf5Je90THIJtI40CZczKDSEXkMNsG4=; b=qir9U/X1LqM80kbc+WjNtAcDbVbbKOJpLP27aOCb0I+lmNViG9e52N47fV2GmeOraC d2mHpfFEAeESbCxp1PsRawJIBWpI+UKr1KGUg3DOqfgqGYISqu6UU3CWr2HEZbu82S4J HZZzGfIpGDUGYpQZY862+mRkukRQ82xF0gIVmT/NlmNuApNJIbyb91q0VWdeXXbED7Dm 4W7LVw+bfPhT73019rlDU3xIxmrAjBcT0Z6ov7AgCvIWZ9Rzbbh2kYgEYDdddEMKQqLw YDPErv+cb/sIkepJF0XxbT9e0gbfjH1pzhaJZQRctD7ozG9hkLKkEGpXC9rA5S8CAbuw aPxA==
X-Gm-Message-State: AODbwcBhxXybpKPuN2se84NC/uh7qyywhxTWGW+keJw1EWgBG7JtJeSa 34OjaQuiviGuZw==
X-Received: by 10.55.204.23 with SMTP id r23mr7419356qki.72.1494652868657; Fri, 12 May 2017 22:21:08 -0700 (PDT)
Received: from dave-laptop.localnet (pool-71-185-36-197.phlapa.fios.verizon.net. [71.185.36.197]) by smtp.gmail.com with ESMTPSA id k184sm3821369qkb.48.2017.05.12.22.21.07 (version=TLS1 cipher=AES128-SHA bits=128/128); Fri, 12 May 2017 22:21:08 -0700 (PDT)
From: Dave Garrett <davemgarrett@gmail.com>
To: Christian Huitema <huitema@huitema.net>
Date: Sat, 13 May 2017 01:21:06 -0400
User-Agent: KMail/1.13.5 (Linux/2.6.32-74-generic-pae; KDE/4.4.5; i686; ; )
Cc: tls@ietf.org, Daniel Kahn Gillmor <dkg@fifthhorseman.net>, Ilari Liusvaara <ilariliusvaara@welho.com>, Hubert Kario <hkario@redhat.com>
References: <3768598.32hupQ9b2b@pintsize.usersys.redhat.com> <201705122258.49117.davemgarrett@gmail.com> <156700d9-b0fa-fbee-befe-7245bc768ab5@huitema.net>
In-Reply-To: <156700d9-b0fa-fbee-befe-7245bc768ab5@huitema.net>
MIME-Version: 1.0
Content-Type: Text/Plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
Message-Id: <201705130121.06879.davemgarrett@gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/2uondkHxMNIqsXSse2BTwOojuAQ>
Subject: Re: [TLS] Encrypted hellos (was Re: "Encrypted" SNI)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 13 May 2017 05:23:15 -0000

On Friday, May 12, 2017 11:17:45 pm Christian Huitema wrote:
> The "server DH Key" poses a significant forward secrecy issue. Suppose
> that the key is compromised. Now the secret police can find out what
> nasty sites was accessed by whom. That can be plus plus not good for
> said dissidents.

*This is the current situation.* "If the fix is broken, then it won't be fixed anymore" is not really that compelling of an argument, by itself.

Of course the host DH key has an FS risk; it'd need to have a limited validity time and be rotated regularly. (probably weekly) The private key would need to be protected and managed by the host (not the virtual servers), and the public key would need to be given to the virtual servers to be listed in DNS for their domains. An attacker that can get that private key can revert the security to the current status quo, but the handshake would still set up an ephemeral DH key for FS of everything after the hellos (as is the current case, with the well known caveats with 0RTT data).

An attacker that can reliably exfiltrate or completely control that key/host will almost certainly be able to surviel which virtual hosts are connected to no matter what we do. (or more precisely, I think that any gains you can make there are likely to be a lost cause) The only simple solution virtual servers have there is to not use a host you can't actually trust.

Of course, if everyone just switched to IPv6, everyone can get their own unique IP, the offending virtual server nonsense becomes obsolete, and servers could opt-out of SNI entirely (e.g. via a flag in DNS). (yeah, those IPs are of course trackable, though more easily rotatable, but you're not going to get a perfect solution here without something like Tor)

> EKR did propose a TLS in TLS tunnel back in December 2015:
> https://mailarchive.ietf.org/arch/msg/tls/tXvdcqnogZgqmdfCugrV8M90Ftw.
> It would effectively encrypt the "inner" Client Hello.

Same basic concept, different implementation. TLS tunneling would provide some backwards compatibility; ClientHellos would still look like ClientHellos. I was just suggesting the simple generic route of encrypting everything in a non-backwards-compatible way (sent to a specified port that is set up to only handle that and reject everything else). I'd rather let stupid/incompatible stuff just break if we're designing a new opt-in system.

The argument I'm making here isn't about implementation; it's about what to think about implementing to deal with the issues here.


Dave

v2.23.0 | Report a Bug | By Email