IETF Logo Mail Archive

Re: [TLS] Working Group Last Call for ECH

Eric Rescorla <ekr@rtfm.com> Wed, 13 March 2024 16:45 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F1834C14F69A for <tls@ietfa.amsl.com>; Wed, 13 Mar 2024 09:45:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.903
X-Spam-Level:
X-Spam-Status: No, score=-6.903 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D9GQZGptirUo for <tls@ietfa.amsl.com>; Wed, 13 Mar 2024 09:45:42 -0700 (PDT)
Received: from mail-yb1-xb35.google.com (mail-yb1-xb35.google.com [IPv6:2607:f8b0:4864:20::b35]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 00C82C14F60F for <tls@ietf.org>; Wed, 13 Mar 2024 09:45:42 -0700 (PDT)
Received: by mail-yb1-xb35.google.com with SMTP id 3f1490d57ef6-dcbef31a9dbso4740764276.1 for <tls@ietf.org>; Wed, 13 Mar 2024 09:45:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20230601.gappssmtp.com; s=20230601; t=1710348341; x=1710953141; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=caH5A9d/VS3YOXW2OB5u1zUzRyEBbgQh1iJZPJ8Zdrc=; b=jCK526Hsnih2aGz1uuKMHBAoLl5KhuyPLWtcuxjfaNlzxbPUFSx7Cm679nMt1mJ5HH wCIvVv6FoZsgpRFlTCLIQKPRD8hKcrzQbNAiMDwrK4z0/Qn9JFs2Cq1WS2isvnnfiE4N ZWSyQPQa6L7xqvf1L7RJgWvDtdY342WrkHThKhozg6v0WDD7aKp5zYwSVFOgN7nPpvyb yFGVe/VeKpVOP+HeIXFJje3Qz/uG+XpDUgHhq+dRzs3FcCei5JAj7V//IoVrEck+YmIa p8xu49bQJ/jFwypHUu8MwdYCR24u6X64dWkH003BSIRM52zKDZIAfmKRJgueqkPgPCWL 59YQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710348341; x=1710953141; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=caH5A9d/VS3YOXW2OB5u1zUzRyEBbgQh1iJZPJ8Zdrc=; b=AC9dh9BbC1j0AMCcwH/wukVzX21xtjb8qhIovj4Gvmd3Zvw0tsfpOiVPg/+ydY7Puu zIgtZjdjhZAK/nHNPe3igWaT65go/u/MBPJvRmT717rmUKlWN5s7Gexu+04c3HkEqW8i zdKah2HCRygQXEMs7mnQZ1hTGxKB0N494KZruJNdfzdepR0SON10XGYu+45yCBujHaZ7 489gh2AlstgA5AlHra4iBHRgCpvUDrsoKvIBEY1gX7zyiH+C3wvWADLTjHa02yl6vHii A8joySJAumg+IUkjYd4gNx/Gx78QmaXvSAIwpcT+xWMi1VuvT+9sUhENawfI8b4J2C4a wZjw==
X-Forwarded-Encrypted: i=1; AJvYcCX1gbEzgRYccc3ihLJPEvquk6EijRaN0XsMyOv5lTsNRQv3+BD2JHuo8cfn4IkU4FfGQDeBVDc7JbyINRg=
X-Gm-Message-State: AOJu0Yzm/A4EPr9a81D4BDcBz2j9EzWuBBqhcaU4jIqOtNoNRLLMUWYL C0GDK8jJe8LGYtHTps0BiGp3/Aq3LKyVJ8F+u93J5QbLaD1/j0X9wyVwtUScHRFbDO9sx6dLoae p+Ekx/viXJnqsaBKqKt8I85O7X0r/NvbhjKEq39JncP116N8i
X-Google-Smtp-Source: AGHT+IHs+hNI2vPgMrK+ke088OzKEMfPE+uss9JtyT0L8dDS4S+eTQy9GjkeAlT54cTjyEyaLdPio16YGVOl9vPJI3Q=
X-Received: by 2002:a05:6902:240e:b0:dcf:309d:cc2b with SMTP id dr14-20020a056902240e00b00dcf309dcc2bmr3031801ybb.18.1710348340953; Wed, 13 Mar 2024 09:45:40 -0700 (PDT)
MIME-Version: 1.0
References: <CAOgPGoD4iiJ7kivRo4xbe0peiMG3YdzUvmVHC2KvqnMOpm+N7Q@mail.gmail.com> <MEYP282MB35643E2F4A977C0FC051D006A32A2@MEYP282MB3564.AUSP282.PROD.OUTLOOK.COM> <CACsn0ckt5k_jJDp_RnWci94Li3AtcBiMfPehuLtdkAN-XoWtdQ@mail.gmail.com> <MEYP282MB3564E419539472CE1B5C5B1EA32A2@MEYP282MB3564.AUSP282.PROD.OUTLOOK.COM> <CABcZeBPK+jdirtxVPJWipXs0odhsqwsG088NC=OPpd4R=q16Zg@mail.gmail.com> <CAOG=JUKSjbPoz-xBHExrdgtSGTKYYTtnvO18o=qTm7eC2Anc4w@mail.gmail.com> <253111710344559@mail.yandex.com> <CABcZeBNMMvn0g_0dO3rvZfiB8K-5DmBWREVuZJL-r4zPjq_YWQ@mail.gmail.com> <CAOG=JUJRCdzbYaEfwP2pJfduE7=ChHTwpqO94=kzNs=8U1L_hA@mail.gmail.com>
In-Reply-To: <CAOG=JUJRCdzbYaEfwP2pJfduE7=ChHTwpqO94=kzNs=8U1L_hA@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 13 Mar 2024 09:45:03 -0700
Message-ID: <CABcZeBP7mbdyGr4ECnfkOMb8Aj9Es_iFddYnv7sq5ZehS1D1dA@mail.gmail.com>
To: Amir Omidi <amir@aaomidi.com>
Cc: A A <tom25519@yandex.com>, "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000004e24eb06138d8154"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/AJYDf8hI1V6ZKBlfRQVgKVrn2dI>
Subject: Re: [TLS] Working Group Last Call for ECH
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Mar 2024 16:45:43 -0000

On Wed, Mar 13, 2024 at 9:20 AM Amir Omidi <amir@aaomidi.com> wrote:

> > I don't think it's realistic for a generic client (e.g., a standard
> browser) to omit or falsify this field.
>
> Why not? From my understanding the issue that happens in this situation is
> that the website becomes less reliable for these TLS clients?
>
> If so, let that be a problem for the client to deal with. All this change
> would do is something in security considerations along the lines of "to
> make this protocol more censorship resistant, a TLS client MAY choose to
> omit, or randomly generate the contents of `public_name`. A TLS Server
> SHOULD handle these situations gracefully, and not actively reject the
> client".
>

But this will actually cause hard failures for any server which shares an
IP.


I do not like the idea of saying "some website can choose to do this". In
> practice, very few websites will go down that route.
>

Yes, because it's not of benefit for websites which share an IP.



> Are there any concerns if this approach is used?
>

There are two questions here:

1. What the specification says
2. What implementations choose to do within the envelope of that
specification.

The specification needs to prescribe a set of behaviors that promote
interoperability, which means that whatever it tells the client to do must
be compatible with what it tells servers to do. Presently, the
specification tells clients to put whatever is in ECHConfig.public_name in
ClientHelloOuter.sni (S 6.1) and tells the server that it may check and
reject it otherwise (S 7.1). We extensively debated whether to forbid
checking in PR #575 and concluded that we should do so. The primary
arguments were the same ones being offered here balanced against the
ecosystem benefits of encouraging the client to correctly populate
ClientHelloOuter.sni to enable the  recovery mechanism. The WG could of
course revisit that decision.

With that said, even if the specification explicitly allowed clients to
omit/falsify ClientHelloOuter.sni, I don't believe that generic clients
(e.g., the kind of Web browsers that most people use) would choose to do
so. The reason is that, as noted above, it would break the recovery
mechanism, and that's more important than the modest increment in
concealing the public_name of servers on non-shared IPs. One might imagine
that some special purpose clients would choose to do so, but that's not the
case I'm talking about.

-Ekr


> On Wed, Mar 13, 2024 at 12:03 PM Eric Rescorla <ekr@rtfm.com> wrote:
>
>>
>>
>> On Wed, Mar 13, 2024 at 8:49 AM A A <tom25519@yandex.com> wrote:
>>
>>> I think we should change outer SNI randomly and periodicity (e.g 1
>>> hours), if it change fast enough, censor will need to pay a price to block
>>> it,
>>>
>>
>> This won't work because the public_name is part of the recovery mechanism
>> for misconfiguration, which means that the server needs to have a valid
>> certificate with that identity.
>>
>> -Ekr
>>
>>
>>>
>>> 13.03.2024, 23:40, "Amir Omidi" <amir=40aaomidi.com@dmarc.ietf.org>:
>>>
>>> I'd like to understand how the behavior of the latest draft will be
>>> under an adversarial condition.
>>>
>>> One of the things that really excited me about ESNI back in the day was
>>> effectively making it near impossible for countries, like my home country
>>> Iran, from being able to effectively censor the web. AFAIK Iran's main
>>> censorship mechanism revolves around looking for ClientHello's and then
>>> sending a TCP reset when that SNI matches a censored domain.
>>>
>>> I'm wondering, are we losing that ability from ESNI with this plain text
>>> field? Maybe there can be an understanding in the RFC that the client may
>>> omit, or falsify this plaintext field for a bit of extra adversarial
>>> security in these circumstances?
>>>
>>> On Wed, Mar 13, 2024 at 11:26 AM Eric Rescorla <ekr@rtfm.com> wrote:
>>>
>>>
>>>
>>> On Wed, Mar 13, 2024 at 2:15 AM Raghu Saxena <poiasdpoiasd@live.com>
>>> wrote:
>>>
>>> On 3/13/24 14:51, Watson Ladd wrote:
>>>
>>> > I'm not sure what problem you want us to solve here. In the case of
>>> > server offering a single domain, an attacker can determine that
>>> > connections to that domain go to the server and cheaply block based on
>>> > IP. As a result the threat model is one of distinguishing between
>>> > connections to two different inner names.
>>>
>>> An IP can be cheaply recycled as well, for instance restarting a VPS on
>>> a cloud provider. Furthermore, IP based blocking may even be discouraged
>>> at a higher level, for the exact reason that IPs can change pretty
>>> easily. As an operator, I might be able to migrate my hosting to a new
>>> server provider (and hence IP) trivially, but informing my users of a
>>> domain change is much harder.
>>>
>>>
>>> Yes, but the attacker can easily learn these IPs merely by querying
>>> the DNS. Moreover, they can learn the associated domains by sending
>>> a CH with no SNI at all and seeing what's in the certificate.
>>>
>>>
>>> > DNS does not propagate atomically with webserver configuration
>>> > changes. It's thus necessary to deal with mismatches.
>>> While this is true, if there is a configuration mismatch (and hence ECH
>>> cannot work), why is the decision made for the server to transparently
>>> "downgrade" it to non-ECH, instead of sending some kind of alert that
>>> signifies the client to retry without ECH?
>>>
>>>
>>> Three reasons:
>>>
>>> 1. Such an alert would be insecure because an attacker could forge it,
>>> thus causing the client to send ECH in the clear.
>>>
>>> 2. It allows the server to be completely ECH unaware rather than needing
>>> to special case an ECH alert.
>>>
>>> 3. It allows the server to securely provide a new ECHConfig.
>>>
>>> -Ekr
>>>
>>>
>>>
>>> Regards,
>>>
>>> Raghu Saxena
>>>
>>> _______________________________________________
>>> TLS mailing list
>>> TLS@ietf.org
>>> https://www.ietf.org/mailman/listinfo/tls
>>>
>>> _______________________________________________
>>> TLS mailing list
>>> TLS@ietf.org
>>> https://www.ietf.org/mailman/listinfo/tls
>>>
>>> ,
>>>
>>> _______________________________________________
>>> TLS mailing list
>>> TLS@ietf.org
>>> https://www.ietf.org/mailman/listinfo/tls
>>>
>>>

v2.23.0 | Report a Bug | By Email