[TLS] Re: ECH Proxy Mode

涛叔 <hi@taoshu.in> Thu, 05 September 2024 09:53 UTC

Return-Path: <hi@taoshu.in>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 50907C151095 for <tls@ietfa.amsl.com>; Thu, 5 Sep 2024 02:53:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=taoshu.in
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6GubZVmaFr6i for <tls@ietfa.amsl.com>; Thu, 5 Sep 2024 02:53:29 -0700 (PDT)
Received: from mx1.lehu.in (mx1.lehu.in [IPv6:2603:c024:c00c:9e00:1::]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 28B80C151091 for <tls@ietf.org>; Thu, 5 Sep 2024 02:53:29 -0700 (PDT)
DKIM-Signature: a=rsa-sha256; bh=GFTY/dcZY/5khn3uuGLnoZUPR8VtcAVdFKZcU+1ppvQ=; c=relaxed/relaxed; d=taoshu.in; h=Subject:Subject:Sender:To:To:Cc:Cc:From:From:Date:Date:MIME-Version:MIME-Version:Content-Type:Content-Type:Content-Transfer-Encoding:Content-Transfer-Encoding:Reply-To:In-Reply-To:In-Reply-To:Message-Id:Message-Id:References:References:Autocrypt:Openpgp; i=@taoshu.in; s=default; t=1725530007; v=1; x=1725962007; b=zZxp+yxkpRn4gZzKY3cdplruXEFzphcTnB7TQ9yML/xfiIsqBwN+XJXEla2NfGZRrkWRxo8w d0Re0Ts8DholOJFzGjd+kVdtTY2rVGVXyr2q+JfnNTP1GG8XoXjTY8pBO1q8cDVd2ySP0ZX0OQd QdUoAcfRFPHLH9QacFgVtx+cSL7xDQzocmNhVcreZTKbhWZ/X1uHg5zL352mk38/hMT1Ylck+S2 WCFUq5cQJ177xKZzxh1R/pn2UgrHSk+KN60PG/nPOSFJDWv6TvZAj3pt6t+7tCzd+i3dNs3VrFr D3L6JlsQVkTWd6kiJhdz/2xPS33v0QJ7GUmuWFjfu9Hkw==
Received: by mx1.lehu.in (envelope-sender <hi@taoshu.in>) with ESMTPS id f0b5591c; Thu, 05 Sep 2024 09:53:27 +0000
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3818.100.11.1.3\))
From: 涛叔 <hi@taoshu.in>
In-Reply-To: <ME0P282MB5587AFB9A303CE7FABEAF008A39C2@ME0P282MB5587.AUSP282.PROD.OUTLOOK.COM>
Date: Thu, 05 Sep 2024 17:53:14 +0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <C3A1FBAA-CEB9-49FD-A50F-831D86FDECC7@taoshu.in>
References: <03D6DC16-2AFE-41E8-8404-F456D67582EB@taoshu.in> <ME0P282MB5587AFB9A303CE7FABEAF008A39C2@ME0P282MB5587.AUSP282.PROD.OUTLOOK.COM>
To: Raghu Saxena <poiasdpoiasd@live.com>
X-Mailer: Apple Mail (2.3818.100.11.1.3)
Message-ID-Hash: CVOJDI52QR4EFH5I4XUPP6LN4EMXW2H7
X-Message-ID-Hash: CVOJDI52QR4EFH5I4XUPP6LN4EMXW2H7
X-MailFrom: hi@taoshu.in
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: tls@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [TLS] Re: ECH Proxy Mode
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/7R8yaWxP_B9nvhlHUf_-8b5pyUw>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

Hi,
> On Sep 4, 2024, at 11:28, Raghu Saxena <poiasdpoiasd@live.com> wrote:
> 
> On 9/3/24 10:52 PM, 涛叔 wrote:
>> This idea was derived from my attempt to implement encrypted TLS SNI Proxy. The SNI
>> does not only expose privacy information, many ISP use it to block certain web site.
>> Even though the current draft of ECH works to protect the ClientHello, it can only
>> protect the sites that deployed the ECH.
>> 
>> If we can adjust the current design and let the client-facing generate and response
>> the accept_confirmation signal, we can make ECH everywhere without upgrading any of
>> current TLS backend server. Which means the client-facing can work as an encrypted
>> TLS SNI Proxy.
> 
> I'm trying to understand what exactly your use-case here is. Wouldn't a naive HTTPS Proxy w/ CONNECT be sufficient?
> 
> E.g. if we have the proxy domain `https://myproxy.com` , and the website we want to connect to is `https://supersecret.com`, then assuming a classic HTTPS Proxy running on `myproxy.com`, the Client would make a TLS handshake to `myproxy.com` and reveal the Proxy SNI, however once the TLS handshake with the proxy is complete, the `CONNECT` to `supersecret.com` will be inside the TLS tunnel, so it will be private.
> 
> I think this would be sufficient, since even in the split-example with ECH you mention, the `public_name` of the first client-facing server will be visible anyway.


Yes, the native HTTPS Proxy with CONNECT has similar feature. However, the ECH based SNI Proxy
still has some benefits.

First, we setup one DNS over HTTPS server, and let the user agent use the DoH server.

Second, we setup the client-facing ECH server as SNI proxy.

Third, in our DoH server, we "hijack" the A/AAAA record for the original server and point it to the ECH client-facing server,
and add the fake HTTPS/SVCB record to indicate the user agent that the original "support" ECH.

Finally, when the user agent try to negotiate the TLS session to the backend server, it looks up both the A/AAAA and HTTPS
records from the DoH server. Then the user agent will connect to our client-facing server (work as SNI proxy).
Since the user agent also derives our fake HTTPS record with ECH config, the user agent will try to connect the client-facing
server using this config with a proper generate config_id and public_name. We can dynamically generate this ECHConfig
and associate the real original domain name to some dynamic public_name.

When the client-facing server accept the ECH handshake, it can decrypt the real domain name of the original server, and then
it will works as a normal SNI-proxy and try to connect to the backend server using the ClientHelloInner.

As the server has no idea of this ECH-based proxy, it will respond a normal ServerHello with normal random field. Once our
ECH client-facing the ServerHello, it has to respond the accept_confirmation on behalf of the original. However, the current
draft requires using the last 8 bytes of random in ServerHello to indicate the accept_confirmation, which can not be modified
by the client-facing server, and this design makes it impossible to implement this ECH-based SNI proxy.

If we can implement ECH-based SNI proxy, we can "deploy" ECH to all TLS server without upgrading the HTTPS server
software of the backend server. All we need is to do some kind of "DNS hijacking". This hijacking will result in no security problem
because the client-facing server will only see the ClientHelloInner and can not monitor the real plain traffic under TLS.

If we can implement ECH-based SNI proxy, the user agent setup will be simplified as much as possible. All it needs to do is
setup a proper DoH server, and let all other configuration in the remote side of ECH client-facing server and DoH server.