Re: [TLS] Encrypting record headers: practical for TLS 1.3 after all?
Jacob Appelbaum <jacob@appelbaum.net> Thu, 03 December 2015 03:56 UTC
Return-Path: <jacob@appelbaum.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 686CA1B2CBB for <tls@ietfa.amsl.com>; Wed, 2 Dec 2015 19:56:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HR_L-i-JK7kK for <tls@ietfa.amsl.com>; Wed, 2 Dec 2015 19:56:29 -0800 (PST)
Received: from mail-io0-x233.google.com (mail-io0-x233.google.com [IPv6:2607:f8b0:4001:c06::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AC44B1B2EEC for <tls@ietf.org>; Wed, 2 Dec 2015 19:56:21 -0800 (PST)
Received: by iofh3 with SMTP id h3so68735609iof.3 for <tls@ietf.org>; Wed, 02 Dec 2015 19:56:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=appelbaum-net.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=u7/rcVpWTRrBILiO3wbfzi75MxLyi5Sv+CMm96J4PJw=; b=wuVZZS4+BPn2xnoMkJrn0TjlzWZ0oR3dxAGDXaDBi+jU38AWVNhNWWQvydpkuBlOYz 8A9oxXjI0ObhXjnA63q88hGbqUow7fiv04a0W3qdsGwc/1GOAhHWtF8WBMLFbz3v7A9j DcKytZloM1UKFHecRFW9tnxQxBbbLd8WF9SOteHV7J8xnKKi2lzLz9orVFHdrC89Blc3 roLzEpZA9+JIbSPkMB7l7Q4sMH4D94hSsLfqsa7S/CR22yHocMuHD0qgncHGL7fgnpek HwgmeGfNHOrMrUDCmt0Aw9elg+3aXkRxU0wDV5lFbBHwANdekzAlpwkap+1SAqZkkUGt Twiw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=u7/rcVpWTRrBILiO3wbfzi75MxLyi5Sv+CMm96J4PJw=; b=VaBL/WaP/mubfVyZe5pIyRJVHRZkb4SKKgUk91792VNPxHy7cE/UVzPnoNKtwEh5HW HgM01oDMOb+v8wznl7qRmDAjTuAexq8Nya+RWXXeCnHuaDrbHfN64HJOZ9a45YUuRLsP C0dMZtZYk0NaS9uBLHfnzujJqntLUivTRICcYc8U9U6LCeHCF2VgQTshdo8aBKFOnqh5 a0Zz4LcX526KcF4sz69kB2iv6qjsAvE2H4TNThwKQCa3+bSNSzK6DxR3UsHeWk4w+iQr GQx5DwD3WcAJprlv2InO2AOMH0z3QS/OCGeRQfPuk6CebAi/qmfUn4O8zVePxdkB+J7C fS5w==
X-Gm-Message-State: ALoCoQny1jycXphxh30Ot/DOaM0OD4DDqxOL1TtxFHSY4s0y0i1Gz+16CCsJqlqPkC5S8F/MWgSA
MIME-Version: 1.0
X-Received: by 10.107.7.210 with SMTP id g79mr6782192ioi.81.1449114981137; Wed, 02 Dec 2015 19:56:21 -0800 (PST)
Received: by 10.79.70.71 with HTTP; Wed, 2 Dec 2015 19:56:20 -0800 (PST)
X-Originating-IP: [197.231.221.211]
In-Reply-To: <CANBOYLXJX_gjuC8Rp0Z9YqzNYsbr0x1WeL4AeRUxFtMaM+U5wQ@mail.gmail.com>
References: <CAFggDF3HP5u0YP0UP_HrrZnrTnzc-CD1EG0grZBcb5sB7A2fAA@mail.gmail.com> <20151202160837.6016A1A39B@ld9781.wdf.sap.corp> <CAFggDF0D3Rgav-4xg-11u0igMyMXvAWT+JNt2r1xyQnpvm08Qw@mail.gmail.com> <0ba184c45d44474e961a2aaac82fec0e@usma1ex-dag1mb1.msg.corp.akamai.com> <CAFggDF119jxPSXUAe2E4y_TQds4P3K1eTGM3sZHSa=NoeMOV-A@mail.gmail.com> <1b5cf52ca90e45bd82f5247ca675dead@usma1ex-dag1mb1.msg.corp.akamai.com> <CAFggDF24hhrXS95kONb_N6XHrO+11wFsAkHOpYZ_uu5RvyV+Kg@mail.gmail.com> <CANBOYLXJX_gjuC8Rp0Z9YqzNYsbr0x1WeL4AeRUxFtMaM+U5wQ@mail.gmail.com>
Date: Thu, 03 Dec 2015 03:56:20 +0000
Message-ID: <CAFggDF2fbpFkURZtjuKc5NWGRdYra+A9gPD6881nk-Crs2ijXA@mail.gmail.com>
From: Jacob Appelbaum <jacob@appelbaum.net>
To: Eric Mill <eric@konklone.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/6Dqhi9FV1YgRBQ9eZi8ofwBzCXA>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Encrypting record headers: practical for TLS 1.3 after all?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Dec 2015 03:56:31 -0000
On 12/3/15, Eric Mill <eric@konklone.com> wrote: > On Wed, Dec 2, 2015 at 7:52 PM, Jacob Appelbaum <jacob@appelbaum.net> > wrote: > >> On 12/2/15, Salz, Rich <rsalz@akamai.com> wrote: >> >> it seems blindingly obvious to me that we want it >> > >> > Few things, particularly in the security arena, are blindingly obvious. >> If >> > it actually provides no true protection, then it's just as bad as the >> > security theater in US airports. >> >> It provides protection. Specifically it provides confidentially. >> >> It doesn't solve the fact that the DNS is a privacy violating >> nightmare. It doesn't change the fact that the NSA breaks the rules. >> > > And what Don and Rich's analysis is trying to isolate is how much real > protection you get from that level of confidentiality, so that a decision > that weighs all available factors can be made, including the complexity > cost. I'm sorry but that analysis is just not a serious and rigorous analysis. > It's not just a collective action problem because DNS isn't encrypted too. The conclusion summary is that because there are many problems, we won't address our part of the problems. The conclusion is that SNI privacy isn't worth it because those who live in liberal democracies with poor traffic analysis, well they just don't matter much. Which is... just... well, as I said above, I just don't take this seriously. > Their analysis also looks at what you get when both are encrypted. And > regardless of DNS being encrypted, rainbow-table style reverse lookups of > IP to DNS name are always possible. That doesn't mean encrypted SNI isn't > worth it -- it clearly provides a security attribute (confidentiality) to > an important piece of information. You're now suggesting an attacker that computes rainbow-tables to arrive a possibility which in itself sounds like a massive improvement over what was an absolute certainty. > But it's not enough to drive ahead and say that some attribute outweighs > every other consideration. For example, HSTS' persistence of memory can be > abused as a tracking device: > > http://zyan.scripts.mit.edu/sniffly/ > > And this was known at the time the spec was finalized: > > https://tools.ietf.org/html/rfc6797#section-14.9 > > But HSTS creates security benefits that are well worth the cost of that > tracking potential (which can also be mitigated through preloading). There > are a lot of browsers and communities which use and advocate for HSTS that > might generally balk at creating tracking devices. > Yes, tracking with HSTS is a problem and there is work being done to mitigate that tracking concern. > I'm not advocating a strong stance on whether encrypted SNI is worth > pursuing, or whether TLS record headers should be encrypted in TLS 1.3. But > it's useful to keep the debate framed in its full context, rather than > narrowing it to a black-and-white discussion over whether a generally good > attribute is good or not. Sure and that full context includes RFC 7258: "Pervasive Monitoring Is an Attack" - something that defines reasonably clearly many of the concerns I've stated. All the best, Jacob
- [TLS] Encrypting record headers: practical for TL… Bryan A Ford
- Re: [TLS] Encrypting record headers: practical fo… Henrick Hellström
- Re: [TLS] Encrypting record headers: practical fo… Peter Gutmann
- Re: [TLS] Encrypting record headers: practical fo… Henrick Hellström
- Re: [TLS] Encrypting record headers: practical fo… Roland Zink
- Re: [TLS] Encrypting record headers: practical fo… Henrick Hellström
- Re: [TLS] Encrypting record headers: practical fo… Henrick Hellström
- Re: [TLS] Encrypting record headers: practical fo… Roland Zink
- Re: [TLS] Encrypting record headers: practical fo… Tony Arcieri
- Re: [TLS] Encrypting record headers: practical fo… Watson Ladd
- Re: [TLS] Encrypting record headers: practical fo… Henrick Hellström
- Re: [TLS] Encrypting record headers: practical fo… Bryan A Ford
- Re: [TLS] Encrypting record headers: practical fo… Bryan A Ford
- Re: [TLS] Encrypting record headers: practical fo… Henrick Hellström
- Re: [TLS] Encrypting record headers: practical fo… Bryan A Ford
- Re: [TLS] Encrypting record headers: practical fo… Bill Cox
- Re: [TLS] Encrypting record headers: practical fo… Nikos Mavrogiannopoulos
- Re: [TLS] Encrypting record headers: practical fo… Dave Garrett
- Re: [TLS] Encrypting record headers: practical fo… Peter Gutmann
- Re: [TLS] Encrypting record headers: practical fo… Peter Gutmann
- Re: [TLS] Encrypting record headers: practical fo… Short, Todd
- Re: [TLS] Encrypting record headers: practical fo… Bryan A Ford
- Re: [TLS] Encrypting record headers: practical fo… Bryan A Ford
- Re: [TLS] Encrypting record headers: practical fo… Bryan A Ford
- Re: [TLS] Encrypting record headers: practical fo… Bryan A Ford
- Re: [TLS] Encrypting record headers: practical fo… Peter Gutmann
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Encrypting record headers: practical fo… Hubert Kario
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Encrypting record headers: practical fo… Viktor Dukhovni
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Encrypting record headers: practical fo… Fabrice Gautier
- Re: [TLS] Encrypting record headers: practical fo… Jim Schaad
- Re: [TLS] Encrypting record headers: practical fo… Yoav Nir
- Re: [TLS] Encrypting record headers: practical fo… Hubert Kario
- Re: [TLS] Encrypting record headers: practical fo… Aaron Zauner
- Re: [TLS] Encrypting record headers: practical fo… Yoav Nir
- Re: [TLS] Encrypting record headers: practical fo… John Mattsson
- Re: [TLS] Encrypting record headers: practical fo… Bryan A Ford
- Re: [TLS] Encrypting record headers: practical fo… Bryan A Ford
- [TLS] Fully encrypted and authenticated headers (… Bryan A Ford
- Re: [TLS] Fully encrypted and authenticated heade… Dmitry Belyavsky
- Re: [TLS] Fully encrypted and authenticated heade… Bryan A Ford
- Re: [TLS] Encrypting record headers: practical fo… Fabrice Gautier
- Re: [TLS] Encrypting record headers: practical fo… Peter Gutmann
- Re: [TLS] Fully encrypted and authenticated heade… Martin Thomson
- Re: [TLS] Fully encrypted and authenticated heade… Viktor Dukhovni
- Re: [TLS] Encrypting record headers: practical fo… Yoav Nir
- Re: [TLS] Encrypting record headers: practical fo… Yoav Nir
- Re: [TLS] Fully encrypted and authenticated heade… Dmitry Belyavsky
- Re: [TLS] Fully encrypted and authenticated heade… Bryan Ford
- Re: [TLS] Fully encrypted and authenticated heade… Bryan Ford
- Re: [TLS] Encrypting record headers: practical fo… Bryan Ford
- Re: [TLS] Encrypting record headers: practical fo… Bryan Ford
- Re: [TLS] Encrypting record headers: practical fo… GUBALLA, JENS (JENS)
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Encrypting record headers: practical fo… Yoav Nir
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Encrypting record headers: practical fo… Hubert Kario
- Re: [TLS] Encrypting record headers: practical fo… Yoav Nir
- Re: [TLS] Encrypting record headers: practical fo… Eric Rescorla
- Re: [TLS] Fully encrypted and authenticated heade… Eric Rescorla
- Re: [TLS] Encrypting record headers: practical fo… Mike Copley
- Re: [TLS] Fully encrypted and authenticated heade… Jacob Appelbaum
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Fully encrypted and authenticated heade… Watson Ladd
- Re: [TLS] Encrypting record headers: practical fo… Salz, Rich
- Re: [TLS] Encrypting record headers: practical fo… Martin Rex
- Re: [TLS] Encrypting record headers: practical fo… Stephen Farrell
- Re: [TLS] Fully encrypted and authenticated heade… Eric Rescorla
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Encrypting record headers: practical fo… Salz, Rich
- Re: [TLS] Encrypting record headers: practical fo… Eric Rescorla
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Encrypting record headers: practical fo… Salz, Rich
- Re: [TLS] Encrypting record headers: practical fo… Martin Rex
- Re: [TLS] Encrypting record headers: practical fo… Ilari Liusvaara
- Re: [TLS] Encrypting record headers: practical fo… Fabrice Gautier
- Re: [TLS] Encrypting record headers: practical fo… Dave Garrett
- Re: [TLS] Encrypting record headers: practical fo… Peter Gutmann
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Encrypting record headers: practical fo… Salz, Rich
- Re: [TLS] Encrypting record headers: practical fo… Eric Mill
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Encrypting record headers: practical fo… Martin Thomson
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Encrypting record headers: practical fo… Viktor Dukhovni
- Re: [TLS] Fully encrypted and authenticated heade… Bryan A Ford
- Re: [TLS] Encrypting record headers: practical fo… Bryan A Ford
- Re: [TLS] Encrypting record headers: practical fo… Bryan A Ford
- Re: [TLS] Encrypting record headers: practical fo… Bryan A Ford
- Re: [TLS] Fully encrypted and authenticated heade… Jacob Appelbaum
- Re: [TLS] Encrypting record headers: practical fo… Aaron Zauner
- Re: [TLS] Encrypting record headers: practical fo… Salz, Rich
- Re: [TLS] Encrypting record headers: practical fo… Aaron Zauner
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Fully encrypted and authenticated heade… Watson Ladd
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Fully encrypted and authenticated heade… Jacob Appelbaum
- Re: [TLS] Encrypting record headers: practical fo… Aaron Zauner
- Re: [TLS] Encrypting record headers: practical fo… Aaron Zauner
- Re: [TLS] Encrypting record headers: practical fo… Martin Rex
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Encrypting record headers: practical fo… Peter Gutmann
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Fully encrypted and authenticated heade… Valery Smyslov
- Re: [TLS] Fully encrypted and authenticated heade… Bryan Ford
- Re: [TLS] Encrypting record headers: practical fo… GUBALLA, JENS (JENS)
- Re: [TLS] Fully encrypted and authenticated heade… Valery Smyslov
- Re: [TLS] Fully encrypted and authenticated heade… Jacob Appelbaum
- Re: [TLS] Fully encrypted and authenticated heade… Jeff Burdges
- Re: [TLS] Encrypting record headers: practical fo… Peter Gutmann
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum