[TLS] Review of draft-ietf-tls-esni

John Mattsson <john.mattsson@ericsson.com> Mon, 28 September 2020 09:41 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 681603A0AA3 for <tls@ietfa.amsl.com>; Mon, 28 Sep 2020 02:41:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.301
X-Spam-Level:
X-Spam-Status: No, score=-3.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-1.2, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IkKFct30HwB5 for <tls@ietfa.amsl.com>; Mon, 28 Sep 2020 02:41:08 -0700 (PDT)
Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-eopbgr60060.outbound.protection.outlook.com [40.107.6.60]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3B95F3A0F6C for <TLS@ietf.org>; Mon, 28 Sep 2020 02:41:08 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=nDQkUF2AiJ6Rw7WVEsUrKmn3SOP6L51yd5TkkXed210ry7c0YyDVhL+Yeyii3mNtkqm1xUDADxX5q/Q5ld0x3GYD+x3rFXLwv8OscyzFat2M0hDG3E8ZrQqktaqt7joKD0fIi9nfBFDLlLo+NlPrZkJ00oKP+qeDTJX0A2oFSFmRIEfTBGLy6YyvVL0sj+zo3ZwzzZxgvb2thC0zd//fpuFbtnfTn8O5MNz4kXMd8WySPfXvHNwv9c7Y9akCFsYCwVfM8tUSttAzv12oWje+2J+Eh7/hMptaN1f04sLzTlDgcVIB2SXvIY+bDeQb5MF69zFJ5N5amhXaW/NFOjXOuQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=7WUWeO97jNIJ3uncSXZynDiFYUE4M/kBA2CU0vOFPco=; b=DJLvmEhqCZJSyZ+9YNaOWP4sWM4OJC5xn8uM//Fm3FJHqDWtUmkurqKQdzZu27UCS0F7bmqr5MYccY+oipwxPXMug2O1/R4Evmbd8l9zs69gKgvQ8u94sQSShgs3FHH4ak22QPy2CUKhray8/pOrjWiOiaDTXJNab8HgYYW3yORIa+8HXy+HrW3izmJO9obr01vSegWyJv5fDGF4diaAiWcJYrHdAbulrave7m32E4lvLM9nFspSXD2s8uEyrYIHfeFokm9iFnlUQoxUhdqpiknpPDv9GWFaChHAGNCe8Gb/WYMsBb+TMYC28HouUYlZ3LbiKDorUKw7EZJpomFvMw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=7WUWeO97jNIJ3uncSXZynDiFYUE4M/kBA2CU0vOFPco=; b=EAb1mXkHrRYRLGVBLiQ1tPCk5Tw+C0FCJbfFr6Cr33TvJYeM2A9pe+3GqK+R0f437gy4oDcWJQS7L7CH0m31GneHqtxwDamekQbw0YNfMsnem2i/Y51We4Q+CDP1yV4w4aq0Ks+fttxRiAITP1xg2XDt5M2HZtHAjEJuy7Nm8H0=
Received: from AM6PR07MB4584.eurprd07.prod.outlook.com (2603:10a6:20b:17::24) by AM6PR0702MB3686.eurprd07.prod.outlook.com (2603:10a6:209:7::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3433.18; Mon, 28 Sep 2020 09:41:05 +0000
Received: from AM6PR07MB4584.eurprd07.prod.outlook.com ([fe80::951:a4c3:7f39:e39c]) by AM6PR07MB4584.eurprd07.prod.outlook.com ([fe80::951:a4c3:7f39:e39c%5]) with mapi id 15.20.3433.027; Mon, 28 Sep 2020 09:41:05 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: "TLS@ietf.org" <TLS@ietf.org>
Thread-Topic: Review of draft-ietf-tls-esni
Thread-Index: AQHWlXt8ROplbM1hFEyXNHb+qx2ZDw==
Date: Mon, 28 Sep 2020 09:41:05 +0000
Message-ID: <B2B60DAC-4029-4E5E-B405-34D4CD0D6CE4@ericsson.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.40.20081000
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [192.176.1.84]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 21c700f5-5908-4ff5-e95a-08d863929f02
x-ms-traffictypediagnostic: AM6PR0702MB3686:
x-microsoft-antispam-prvs: <AM6PR0702MB3686052B1DCA0FE608A60BDC89350@AM6PR0702MB3686.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:7691;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: hyWc/ZSgwUKzKnUZEbEWD9Ls2RAifS6jUQAUivwri0MxeIkJsTj6fYlt8XVOVZN1JWqrY556vfPX0tey6tkqSoa6vYiDRrOSPLfeQA6PLYC0baJ52XUxj0SSkaxXZKTFoPAFMQ4JgVpJLCmCn3yAHlrQHe+HvnajUVCADstBvAgjmN6nOz0b026tTSP8R3T35xBtwgfx88w4lyg2Jae4pdNeAMHmAlLMEGO/9hcopAzh9Mgbmp0VGO/BdJ79WGV78UJcC533+9+71vxzc5/e3PZJ2f0PeKNu1Hly1q4NGC+Znt5qdjQW15NFVo9TMnyEmgw+5G8m9XzJ/A43yS72IQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM6PR07MB4584.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(376002)(346002)(39860400002)(366004)(396003)(136003)(26005)(5660300002)(2906002)(36756003)(186003)(316002)(33656002)(6506007)(2616005)(8936002)(6486002)(91956017)(8676002)(6916009)(71200400001)(86362001)(83380400001)(6512007)(66556008)(44832011)(64756008)(66446008)(76116006)(66946007)(66476007)(478600001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: wQV+YANDrGaKmjg1DwKnnRwIlT7ai7P41cTFAktWxUWElp32oIIXfGWAEc0dX0qPwP5Wmwli4nNd6yO1wM/aSgP7KvLH106ZuqeKhll0arx1HF0kUU+4jPbAiWUmz7yUCEr7GHmeXe4Ws8bQm+7gHHenrsBcKGsDIX8LS0i/fIOq3CQZNJw5RpFAaSfSG7K3zPltX/TlWr3BPAUA24JDDiYk0rJ2btawQiXwLB5PxXDwjIe8LjHNmq3IZ4dkplU7hwi2Wt3On5lgJwZ/1rVQ28NEHEhsAOMtsJj2p1oJsFhE7RcZcyoU6PI8sWBGbJYF3Iy71QfIAc+q4CZXMKeSNo2BuabQ61YoyIkN53VVKiPhhMQA3oi/hT8Rmu2DtIeHR0Mez11LS9gDCFw6mbZrlWWXdTNth8dr7kf6DbT0vBE6MYyHuAkvrfKrZYw7DkkQtHKa/qJeTwOy/qpX/VOhA0DufbyCJN5RFpTHM6m/xRVU3xC5jdK1C9U+lnYYBvpz8MRDBUKu0yQSqkSeBAnaRqiApOk3dB2KVKMvmeljU84reuzItjEDRH5zT6cEbRzLrs6+bVt70y0WcCOImr0ESE2a0QS4LS94io7nwD9bEADle2Elj/E/XZlOgVRBGylX81aNUefzi41nYPenZ5sUNw==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <89D4EEEDEC5D3045916A0581EFD5E46B@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM6PR07MB4584.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 21c700f5-5908-4ff5-e95a-08d863929f02
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Sep 2020 09:41:05.6418 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: iBhcjCKYziOr4bhXwKuzwAUrP9y2KtvnSM/ImxGEv0wnobLEp6MCu54Zxlon/XwBy8LqJJ7EJSJlhGWhvxAnUnECMbXwl5aD1btgCzEhfyY=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR0702MB3686
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Aud2_hfKvpmEZS_dm-16d_70Duc>
Subject: [TLS] Review of draft-ietf-tls-esni
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Sep 2020 09:41:11 -0000

Hi,

I review the version on github and have a few high level comments.

Cheers,
John


- Section 1
"The cleartext Server Name Indication (SNI) extension in ClientHello messages, which leaks the target domain for a given connection, is perhaps the most sensitive information unencrypted in TLS 1.3."

External PSK identities are probably even more sensitive, but are of course not as commonly used as SNI. The draft should definitly mention external PSK identities.


- Section 1
"and other potentially sensitive fields, such as the ALPN list."

I think there is much more than SNI and ALPN that can be sensitive. I think the draft should mentioned that the set of extensions and their content as a whole can be used to identity a specific application (e.g. Tor, File sharing, dating apps, etc.). The list of supported cipher suites is well-known to have been used in practice for fingerprinting.


Section 10.2
“In comparison to [I-D.kazuho-protected-sni], wherein DNS Resource Records are signed via a server private key, ECH records have no authenticity or provenance information. This means that any attacker which can inject DNS responses or poison DNS caches, which is a common scenario in client access networks, can supply clients with fake ECH records (so that the client encrypts data to them) or strip the ECH record from the response. However, in the face of an attacker that controls DNS, no encryption scheme can work”

I think the statement "no encryption scheme can work" is to strong. If the authenticity of ECHConfig is assured it mitigates attacks where an attacker inject false ECHConfig to lure the client to encrypt data to the attacker. Furthermore, the presence of ECHConfig could fool the client to do something they would not do otherwise, like using usign a sensitive application like Tor, File sharing, dating apps, etc. which could get the person in trouble. I think the draft needs to state that something like:

“if the authenticity of ECHConfig cannot be assured, it is unknown who can decrypt the InnerClientHello. Client shall not change their behavior based on unauthenticated ECHConfig”.


Section 10.2
”Thus, allowing the ECH records in the clear does not make the situation significantly worse.”
”SNI encryption is less useful without encryption of DNS queries in transit”

These two statements seems slightly contradicting.