IETF Logo Mail Archive

Re: [TLS] Final nail in the coffin for cleartext SNI/ALPN in TLS 1.3

Ralf Skyper Kaiser <skyper@thc.org> Tue, 12 November 2013 20:01 UTC

Return-Path: <skyper@thc.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5783D11E8217 for <tls@ietfa.amsl.com>; Tue, 12 Nov 2013 12:01:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.657
X-Spam-Level: *
X-Spam-Status: No, score=1.657 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, J_CHICKENPOX_66=0.6, RCVD_IN_PBL=0.905, RCVD_IN_SORBS_DUL=0.877, RDNS_NONE=0.1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1gc3R0stbZRZ for <tls@ietfa.amsl.com>; Tue, 12 Nov 2013 12:01:15 -0800 (PST)
Received: from mail-ie0-x236.google.com (mail-ie0-x236.google.com [IPv6:2607:f8b0:4001:c03::236]) by ietfa.amsl.com (Postfix) with ESMTP id E8CD911E81A7 for <tls@ietf.org>; Tue, 12 Nov 2013 12:01:14 -0800 (PST)
Received: by mail-ie0-f182.google.com with SMTP id e14so330927iej.13 for <tls@ietf.org>; Tue, 12 Nov 2013 12:01:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=thc.org; s=google; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=ETkRucJok0wdnyDDdKsOySPwiRVUO6RSUujuTjWHC+c=; b=QqJ8EfPDt+lwAZ8FrYnOb4R53nORPUvlUXFmqAXOkZEivh8o/VnVtpmgxPaorOO7cd FBIqpXFVORJi5K1cm1B2JEUCINK8kk/BPtusXOxJ54JjPTh7U85qINMnSuktewZ1KpOJ zs1uBv526T2u4oVDz9R1GYyt+9/H6QdS2T+F0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=ETkRucJok0wdnyDDdKsOySPwiRVUO6RSUujuTjWHC+c=; b=KM6sZxLImhi6pYYjOrSig1b/JFdvg0GnKhHNmvE5T99dVQ9odnubr+oMyboyEwu2+O QO8wZ+tOU/41BnrKMrtq7HnMW9siEpfFF9Itu5+IkvPHZ2u7NUwapvsPbpMWvnlCceXt gihxJFu3lj0m0UES5tP8CCehbBU8lPffw3WVq4RWwq+S7e0OZ/67gOKDh1a2LY3+4T4I 6Y05e9iOovtiGhctNkntdN/60cU0ym/8nuyqggquohJvkg86BGmtM4X14Pqy6AJUFOyx wAzc5isgkLNhg/istr9nJbhrgYjXxet3ifVPwsfPtedTryfJWO7tc6qFXczlAi3fvl6n 6d4w==
X-Gm-Message-State: ALoCoQlk6hyT1mpqhm+LTLtFzqpzBS4vKBv7Dr8zrV54QqU1SFeKLANyb2o62Z2Cn1qANBRNNmpe
MIME-Version: 1.0
X-Received: by 10.50.131.163 with SMTP id on3mr16474054igb.46.1384286474232; Tue, 12 Nov 2013 12:01:14 -0800 (PST)
Received: by 10.64.108.163 with HTTP; Tue, 12 Nov 2013 12:01:14 -0800 (PST)
X-Originating-IP: [80.195.189.45]
In-Reply-To: <20131112185035.EBB631AA80@ld9781.wdf.sap.corp>
References: <52823B00.8090607@fifthhorseman.net> <20131112185035.EBB631AA80@ld9781.wdf.sap.corp>
Date: Tue, 12 Nov 2013 20:01:14 +0000
Message-ID: <CA+BZK2oGsu=yr0JtAro=KOu7YUbX0E_xNnkCwfiC2g0BDS61TA@mail.gmail.com>
From: Ralf Skyper Kaiser <skyper@thc.org>
To: mrex@sap.com
Content-Type: multipart/alternative; boundary="047d7b2e0d1f911eb704eb004fcf"
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Final nail in the coffin for cleartext SNI/ALPN in TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Nov 2013 20:01:19 -0000

Martin,

I disagree.

1. The user can decide to force TLS 1.3
2. The attack that you describe requires active packet injection. We just
increased the cost for the attacker from passive recording of data to
active packet injection. Active packet injection does not scale and is
detectable. The proposed solution solves pervasive surveillance. That's the
goal.

I hear you loud and clear that you wish for a protocol where the SNI is
transmitted encrypted _and_ without the attacker
being able to reveal the SNI during an active attack. I'm certain that a
proposal by you of how to do this would be highly appreciated and
educational to the readers.

regards,

ralf



On Tue, Nov 12, 2013 at 6:50 PM, Martin Rex <mrex@sap.com> wrote:

> Daniel Kahn Gillmor wrote:
>
> Checking application/pgp-signature: FAILURE
> -- Start of PGP signed section.
> [ Charset UTF-8 unsupported, converting... ]
> > On 11/12/2013 09:13 AM, Phillip Hallam-Baker wrote:
> > > What am I missing here, how do you turn on encryption before the client
> > > sees the encryption credential.
> >
> > e.g. using a PFS key exchange, you could include the SNI data after the
> > key negotiation, but before the server certificate. (i think this
> > introduces an extra round trip)
> >
> > > Sure you could soft encrypt under a non authenticated key, but that
> does
> > > not provide a lot of security.
> >
> > it provides confidentiality in the face of a passive attacker, which is
> > specifically what is being asked for.  I think it's clear that this
> > information is not possible to hide from an active attacker who is
> > willing to cause connection failures to find out the name of the server
> > the client is trying to reach.
>
> Browsers perform the reconnect fallback failures transparently and
> silently, and NSA hat their Foxacid servers in place to shoot down
> any TLSv1.3 requests they like with a TCP RST.
>
> A single connection failure per client&server pair per day would be
> sufficient to elicit cleartext SNIs from clients & cleartext certificates
> from servers.
>
> We should design our protocol to provide security in a robust and
> resilient fashion, not in a brittle "weather permitting" fashion
> that is being suggested.
>
> -Martin
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

v2.23.0 | Report a Bug | By Email