Re: [TLS] Encrypted SNI (was: Privacy considerations - identity hiding from eavesdropping in (D)TLS)

Jacob Appelbaum <jacob@appelbaum.net> Tue, 22 September 2015 17:39 UTC

Return-Path: <jacob@appelbaum.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 276001B2C6A for <tls@ietfa.amsl.com>; Tue, 22 Sep 2015 10:39:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Level:
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L06xgcVLOGU1 for <tls@ietfa.amsl.com>; Tue, 22 Sep 2015 10:39:53 -0700 (PDT)
Received: from mail-wi0-f177.google.com (mail-wi0-f177.google.com [209.85.212.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D53DF1B2C59 for <tls@ietf.org>; Tue, 22 Sep 2015 10:39:52 -0700 (PDT)
Received: by wiclk2 with SMTP id lk2so204590142wic.0 for <tls@ietf.org>; Tue, 22 Sep 2015 10:39:51 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=qu3KKjK/shTGLz7ssgYMetTbnRqTdcO23QWBk406BPc=; b=dOWLncwVQ0QFq/plUXXPMaqfi37eRwJOQivEmCtT5SS64LftPmcwtwu5DbIbI6WAN6 AeslyNEx6UUtSFnr+DTNjcf/yDG9OwSBDmzOiQUYbqneLaApOJbyQd+sm8Ro1T+T2TpN nHRgBO6WagBZxg5MznaIKlcxppBNdFEFrlVh3SN1VN/mHMvELrKj0tAmKvc4eSH//VY+ K8320rd4L15udaUed/fVKBZiioHeYjwb3/84BBhTOPns0GlkkfOuEmSgXoETKK8zvpM2 7GKZ4nj6bbZcD7tmYFG/xX54I3uaJ4cpp9NSlA5+RYqaTUvFK2hxWOSrfeFmDsy95t35 YdZQ==
X-Gm-Message-State: ALoCoQmlOlCXHswBWAq7h2M62g/yHoxHrcXD/i2UwV1GuHSfLqNFlgTVZ70MNIbZyiIOirmcBXgP
MIME-Version: 1.0
X-Received: by 10.194.113.33 with SMTP id iv1mr19679735wjb.65.1442943591279; Tue, 22 Sep 2015 10:39:51 -0700 (PDT)
Received: by 10.28.22.204 with HTTP; Tue, 22 Sep 2015 10:39:51 -0700 (PDT)
X-Originating-IP: [89.31.57.5]
In-Reply-To: <871tdr23fh.fsf@alice.fifthhorseman.net>
References: <CAL6x8mchyh2Qpqcd5Rv-rXgZ+1_CAbV7vkib+-yU4DEDFx82Yg@mail.gmail.com> <CAL6x8mfDjYAhOwvBY-tFO-407E9U+SaknJnuh_dCEEUbWJZZWw@mail.gmail.com> <20150828144932.GH9021@mournblade.imrryr.org> <201508281213.03823.davemgarrett@gmail.com> <20150828162251.GM9021@mournblade.imrryr.org> <871tdr23fh.fsf@alice.fifthhorseman.net>
Date: Tue, 22 Sep 2015 17:39:51 +0000
Message-ID: <CAFggDF14LALxYZMVYzRepNU61tgPERTJyn+FgHWD13CpRcbLAQ@mail.gmail.com>
From: Jacob Appelbaum <jacob@appelbaum.net>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Content-Type: text/plain; charset=UTF-8
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/6Vnln4rJYhn1UOVYcWomBIJkp7Q>
Cc: tls@ietf.org
Subject: Re: [TLS] Encrypted SNI (was: Privacy considerations - identity hiding from eavesdropping in (D)TLS)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Sep 2015 17:39:55 -0000

On 9/21/15, Daniel Kahn Gillmor <dkg@fifthhorseman.net>; wrote:
> On Fri 2015-08-28 09:22:52 -0700, Viktor Dukhovni <ietf-dane@dukhovni.org>;
> wrote:
>> So the client would now need to cache some session data by transport
>> address, and other data by name and port.  That's rather complex.
>
> This is already done by HTTP/2 clients, since they can access multiple
> servers at the same address:port combination.
>
>> And how often will the same client visit multiple servers at the
>> same transport address?
>
> *.github.io, *.blogspot.com, massive CDNs, etc.  It's a common pattern.
>
>> I don't really see this as viable or worth the effort.
>
> I disagree -- the metadata leaked to a passive attacker by mandatory SNI
> is a valuable signal.  It is worth trying to protect it.

I agree - this metadata is usable as a selector for automated
surveillance and for automated exploitation.

>
>> I don't think SNI hiding is viable without encryption at the
>> transport or network layers.
>
> any encrypted SNI is effectively acting as a shim for transport
> encryption, yes.  Then again, TLS is itself "transport layer security",
> so we should try to provide it at least as an option.

In an ideal world: using ephemeral keys, we must be able to have usage
of the protocol that is selector free.

>
>> And there's still a metadata leak via DNS which may prove difficult to
>> address.
>
> The DNS community is working to address the DNS leak in DPRIVE.  The TLS
> community should be working to fix its own part of the metadata leak.
>

Agreed, strongly.

All the best,
Jacob