IETF Logo Mail Archive

Re: [TLS] About encrypting SNI

Nikos Mavrogiannopoulos <nmav@redhat.com> Wed, 14 May 2014 07:45 UTC

Return-Path: <nmav@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0A9171A0276 for <tls@ietfa.amsl.com>; Wed, 14 May 2014 00:45:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.553
X-Spam-Level:
X-Spam-Status: No, score=-7.553 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.651, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IMrnv8txewCf for <tls@ietfa.amsl.com>; Wed, 14 May 2014 00:45:11 -0700 (PDT)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by ietfa.amsl.com (Postfix) with ESMTP id 2AC901A0273 for <tls@ietf.org>; Wed, 14 May 2014 00:45:11 -0700 (PDT)
Received: from int-mx02.intmail.prod.int.phx2.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id s4E7j0Vg015875 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 14 May 2014 03:45:00 -0400
Received: from [10.34.2.127] (dhcp-2-127.brq.redhat.com [10.34.2.127]) by int-mx02.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id s4E7iv4U031772 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Wed, 14 May 2014 03:44:59 -0400
Message-ID: <1400053497.2757.12.camel@dhcp-2-127.brq.redhat.com>
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Wed, 14 May 2014 09:44:57 +0200
In-Reply-To: <53725C34.8060105@fifthhorseman.net>
References: <2A0EFB9C05D0164E98F19BB0AF3708C7120A04ED40@USMBX1.msg.corp.akamai.com> <534C3D5A.3020406@fifthhorseman.net> <474FAE5F-DE7D-4140-931E-409325168487@akamai.com> <D2CB0B72-A548-414C-A926-A9AA45B962DA@gmail.com> <2A0EFB9C05D0164E98F19BB0AF3708C7120B490162@USMBX1.msg.corp.akamai.com> <CACsn0cmusUc3Rsb2Wof+dn0PEg3P0bPC3ZdJ75b9kkZ5LDGu_A@mail.gmail.com> <534DB18A.4060408@mit.edu> <CABcZeBOJ7k8Hb9QqCAxJ_uev9g_cb4j361dp7ANvnhOOKsT7NA@mail.gmail.com> <CA+cU71kFo6EihTVUrRRtBYEHbZwCa9nZo-awt4Sub2qXcKHC7g@mail.gmail.com> <CAK3OfOi1x9huaazwcO=d72mfOFuV_RyXnfHmFRduhhbJE2miYw@mail.gmail.com> <CALCETrWukS2QJSb01n7OpXD2iaK43OhZr4E8YZyJ6JaorCdBKw@mail.gmail.com> <CAKC-DJjgFrAmxkC-MsmL+-uRWpN_mDPGkV_g-6DhbVH+69EQEQ@mail.gmail.com> <2A0EFB9C05D0164E98F19BB0AF3708C7130ABEA050@USMBX1.msg.corp.akamai.com> <53725C34.8060105@fifthhorseman.net>
Content-Type: text/plain; charset="UTF-8"
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Scanned-By: MIMEDefang 2.67 on 10.5.11.12
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/BxLko0Hofa0UOfia5vjr-m7eqkk
Cc: Andy Lutomirski <luto@amacapital.net>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] About encrypting SNI
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 May 2014 07:45:13 -0000

On Tue, 2014-05-13 at 13:53 -0400, Daniel Kahn Gillmor wrote:
> On 05/13/2014 09:07 AM, Salz, Rich wrote:
> >>  Especially given that there's little value in encrypting SNI with[out] encrypting/securing DNS, associating the two has some nice mutually-motivating properties.
> > The “[out]” is the important missing part, I think.
> yes, indeed :)  But that's what the dns-privacy discussion is about.
> 
>   https://www.ietf.org/mailman/listinfo/dns-privacy
> If we don't offer a standard mechanism for protecting the
> confidentiality of SNI (at least against passive monitors) in upcoming
> versions of TLS, then the dns-privacy discussion is going to have
> serious trouble sustaining its work by an analgous "little value
> unless..." argument.  We shouldn't sabotage that work.
> The TLS WG needs to fix the SNI leak, and DNS confidentiality needs to
> be addressed by the DNS folks if we want to protect this information
> against passive eavesdropping.

Fixing the SNI leak is easy, just don't use SNI. The main issue is in
the TLS handshake which sends the certificates in plain. A fix for
passive eavesdroppers would require a new IPSec-style handshake. It
comes at a cost though. Load balancers and redirectors will need to
terminate TLS in order to redirect the traffic to the proper host.
Terminating TLS there would mean (a) the encrypted session isn't
terminated on the intended server but somewhere else, (b) user
authentication with TLS will be pretty much unusable for hosts behind
that type of systems, (c) software redirection of sessions (e.g.,
because a different process handles a different host or protocol - see
ALPN) will also become very difficult.

regards,
Nikos

v2.23.0 | Report a Bug | By Email