Re: [TLS] DNS-based Encrypted SNI
Ilari Liusvaara <ilariliusvaara@welho.com> Wed, 04 July 2018 04:50 UTC
Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0C5C1130E9D for <tls@ietfa.amsl.com>; Tue, 3 Jul 2018 21:50:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EL-_py_j9dbO for <tls@ietfa.amsl.com>; Tue, 3 Jul 2018 21:50:17 -0700 (PDT)
Received: from welho-filter3.welho.com (welho-filter3.welho.com [83.102.41.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C7324130E3E for <tls@ietf.org>; Tue, 3 Jul 2018 21:50:16 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter3.welho.com (Postfix) with ESMTP id 5F57D21C3F; Wed, 4 Jul 2018 07:50:14 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp1.welho.com ([IPv6:::ffff:83.102.41.84]) by localhost (welho-filter3.welho.com [::ffff:83.102.41.25]) (amavisd-new, port 10024) with ESMTP id P8X9MlygRnxj; Wed, 4 Jul 2018 07:50:13 +0300 (EEST)
Received: from LK-Perkele-VII (87-92-19-27.bb.dnainternet.fi [87.92.19.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp1.welho.com (Postfix) with ESMTPSA id C9BFC79; Wed, 4 Jul 2018 07:50:10 +0300 (EEST)
Date: Wed, 04 Jul 2018 07:48:44 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Message-ID: <20180704044844.GB10665@LK-Perkele-VII>
References: <CABcZeBMR=5QQjSS68H2mQoyG1cHVa5+Z_5SH0Md07kTBVSr3Sw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CABcZeBMR=5QQjSS68H2mQoyG1cHVa5+Z_5SH0Md07kTBVSr3Sw@mail.gmail.com>
User-Agent: Mutt/1.10.0 (2018-05-17)
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/C4-goKhcaqrpCUVrNwcMwOp9HRo>
Subject: Re: [TLS] DNS-based Encrypted SNI
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Jul 2018 04:50:21 -0000
On Mon, Jul 02, 2018 at 04:39:14PM -0700, Eric Rescorla wrote: > > I just submitted: > > https://tools.ietf.org/html/draft-rescorla-tls-esni-00 > > This draft describes a DNS-based approach to doing encrypted SNI. > > Previously, we had thought this wouldn't work because only sites that > were particularly vulnerable would do it, and so the use of ESNI marks > you out. The idea behind this draft is that there are a lot of sites > which are hosted by -- and whose DNS is run by -- a large provider, > and that provider can shift many if not all of its sites to ESNI at > once, thus removing the "standing out" issue and making a DNS-based > approach practical. The recent Russia versus Telegram episode is kinda worrisome in this regard. Basically, it looked like the actions that created massive collaterial damage got at least two very large cloud provoders to disable one technique of hiding the name of the target server. > I am working on an implementation for NSS/Firefox and I know some > others are working on their own implementations, so hopefully we can > do some interop in Montreal. > > This is at a pretty early stage, so comments, questions, defect > reports welcome. One thing I noticed: First there is this in evaluation: 7.2.4. Do not stick out By sending SNI and ESNI values (with illegitimate digests), or by sending legitimate ESNI values for and "fake" SNI values, clients do not display clear signals of ESNI intent to passive eavesdroppers. Is that suggesting to send fake ESNI values? If so, there is this in endpoint behavior: 5.2. Client-Facing Server Behavior o If the EncryptedSNI.record_digest value does not match the cryptographic hash of any known ENSIKeys structure, it MUST abort the connection with an "illegal_parameter" alert. This is necessary to prevent downgrade attacks. So sending out fake ESNI values seems unsafe. My reading of that is that if server supports ESNI, but is not configured, then it MUST terminate (illegal_parameter) any handshake where ESNI extension was offered in. But that behaviour would cause any split mode handshakes to fail if backend supports ESNI. -Ilari
- Re: [TLS] DNS-based Encrypted SNI Eric Rescorla
- Re: [TLS] DNS-based Encrypted SNI Short, Todd
- Re: [TLS] DNS-based Encrypted SNI Eric Rescorla
- Re: [TLS] DNS-based Encrypted SNI Brian Sniffen
- Re: [TLS] DNS-based Encrypted SNI Short, Todd
- Re: [TLS] DNS-based Encrypted SNI Eric Rescorla
- [TLS] DNS-based Encrypted SNI Eric Rescorla
- Re: [TLS] DNS-based Encrypted SNI Eric Rescorla
- Re: [TLS] DNS-based Encrypted SNI Paul Wouters
- Re: [TLS] DNS-based Encrypted SNI Sniffen, Brian
- Re: [TLS] DNS-based Encrypted SNI Ben Schwartz
- Re: [TLS] DNS-based Encrypted SNI Eric Rescorla
- Re: [TLS] DNS-based Encrypted SNI Paul Wouters
- Re: [TLS] DNS-based Encrypted SNI Patrick McManus
- Re: [TLS] DNS-based Encrypted SNI Tim Hollebeek
- Re: [TLS] DNS-based Encrypted SNI Eric Rescorla
- Re: [TLS] DNS-based Encrypted SNI Kazuho Oku
- Re: [TLS] DNS-based Encrypted SNI Ilari Liusvaara
- Re: [TLS] DNS-based Encrypted SNI Ilari Liusvaara
- Re: [TLS] DNS-based Encrypted SNI Ilari Liusvaara
- Re: [TLS] DNS-based Encrypted SNI Stephen Farrell
- Re: [TLS] DNS-based Encrypted SNI Eric Rescorla
- Re: [TLS] DNS-based Encrypted SNI Eric Rescorla
- Re: [TLS] DNS-based Encrypted SNI Eric Rescorla
- Re: [TLS] DNS-based Encrypted SNI Eric Rescorla
- Re: [TLS] DNS-based Encrypted SNI Eric Rescorla
- Re: [TLS] DNS-based Encrypted SNI Kathleen Moriarty
- Re: [TLS] DNS-based Encrypted SNI Stephen Farrell
- Re: [TLS] DNS-based Encrypted SNI Kathleen Moriarty
- Re: [TLS] DNS-based Encrypted SNI Kazuho Oku