Re: [TLS] Let's remove gmt_unix_time from TLS

mrex@sap.com (Martin Rex) Wed, 11 September 2013 17:41 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C543A21F9CBF; Wed, 11 Sep 2013 10:41:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.249
X-Spam-Level:
X-Spam-Status: No, score=-10.249 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X6-D2htg+pBb; Wed, 11 Sep 2013 10:41:37 -0700 (PDT)
Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by ietfa.amsl.com (Postfix) with ESMTP id 2151621F9A59; Wed, 11 Sep 2013 10:41:36 -0700 (PDT)
Received: from mail05.wdf.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id r8BHfZO7023037 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 11 Sep 2013 19:41:35 +0200 (MEST)
In-Reply-To: <CAKDKvuw240Ug4xB3zi2w0y7pUvCwSe0nNFZ2XP2vL-tbtKT0tg@mail.gmail.com>
To: Nick Mathewson <nickm@torproject.org>
Date: Wed, 11 Sep 2013 19:41:35 +0200 (CEST)
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20130911174135.455A01A960@ld9781.wdf.sap.corp>
From: mrex@sap.com (Martin Rex)
X-SAP: out
Cc: perpass@ietf.org, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Let's remove gmt_unix_time from TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Sep 2013 17:41:43 -0000

Nick Mathewson wrote:
> ====
> SYNOPSIS:
> 
> In TLS as currently specified, clients and servers each send their
> current view of "the time" in the clear as part of their handshake.
> This provides a fingerprint that can track users in spite of other
> attempts to make them untrackable.  I propose several ways to stop
> doing sending this cleartext timestamp; some trivial and some more
> complex.

I would really appreciate a different approach to the underlying
issue, and less throwing of smoke grenades here.

If you're worried about being slightly "distinguishable" from some
other clients, then there are a lot more reliable identifiers available
in the average TLS handshake, so claiming that sending the actual local
time in ClientHello.Random.gmt_unix_time creates a severe fingerprinting
issue and sending random will solve the fingerprinting issue, is
bordering on lame for >99% of the clients.

Most of the time, repeated requests of the same TLS client can be
identified by the network connection having the same client IP address,
the TLS session proposed for resumption in ClientHello.session_id
or maybe someone still using TLS session tickets (rfc5077).


So rather than pointing to ClientHello.Random.gmt_unix_time as a
and claiming there would be a simple fix, one will likely have to
create and go through a long list of issues to determine which
features facilitate fingerprinting and tracking (cipher suites
and many TLS extensions (TLS caching extension, signature algorithms,
Next protocol negotiation, supported elliptic curves, etc.) may
all help in distinguishing clients, and would also have to be
taken care of.


-Martin