Re: [TLS] About encrypting SNI
Alyssa Rowan <akr@akr.io> Mon, 14 April 2014 18:39 UTC
Return-Path: <akr@akr.io>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 93C171A06AC for <tls@ietfa.amsl.com>; Mon, 14 Apr 2014 11:39:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.398
X-Spam-Level: *
X-Spam-Status: No, score=1.398 tagged_above=-999 required=5 tests=[BAYES_50=0.8, J_CHICKENPOX_24=0.6, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4PWqPY14XzF2 for <tls@ietfa.amsl.com>; Mon, 14 Apr 2014 11:39:33 -0700 (PDT)
Received: from entima.net (entima.net [78.129.143.175]) by ietfa.amsl.com (Postfix) with ESMTP id 59B1D1A0203 for <tls@ietf.org>; Mon, 14 Apr 2014 11:39:33 -0700 (PDT)
Message-ID: <534C2B62.7080301@akr.io>
Date: Mon, 14 Apr 2014 19:39:30 +0100
From: Alyssa Rowan <akr@akr.io>
MIME-Version: 1.0
To: tls@ietf.org
References: <2A0EFB9C05D0164E98F19BB0AF3708C7120A04ED40@USMBX1.msg.corp.akamai.com> <CACsn0cksJP-cxLKam=r_LGYG5_psL-ecxVxV=pCERn8rbHaGsw@mail.gmail.com> <0B76075A-D9F1-4780-8834-7FF0A1C82999@vigilsec.com> <CABcZeBM4putSnhE7_kCVF9hOsUTW9-nc8-TXj-zfhaZcnkrL5Q@mail.gmail.com>
In-Reply-To: <CABcZeBM4putSnhE7_kCVF9hOsUTW9-nc8-TXj-zfhaZcnkrL5Q@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/D6SoGbOviM3QbZ5kUcqNA7Hy6yw
Subject: Re: [TLS] About encrypting SNI
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Apr 2014 18:39:34 -0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 14/04/2014 18:13, Eric Rescorla wrote: > I'm not sure that this addresses the requests I have heard for SNI > encryption which is to conceal the sites people are going to by > default rather than as a special case for the privacy conscious. Precisely. Tor (for example) wants to look like a common-or-garden browser to avoid Eve fingerprinting it (and real, actual jackboots knocking doors in as a result). This means, say, browsers should make - and be able to make - the most privacy-preserving choices, too. That benefits everyone. Plaintext SNI makes it really easy to demux connections to the same ip:port tuple without needing state from DNS lookups. That's an advantage for Bob, where Bob has a lot of servers (like Rich does) - but it's also a huge advantage for Eve and Mallory. We should also consider if we can use the same method to protect returned certificates, and any other plain-text ClientHello fields (notably ALPN). We do want that if we can get it practically, so maybe we want something slightly more general than just for SNI. > It's certainly the case that there are some additional changes > that would be required to make concealing SNI worth doing > (principally encrypted name resolution, but also a clear model for > how to do traffic padding and other things), but conversely if we > don't change TLS to permit concealing the SNI, then we won't get as > much value from encrypted DNS. What I'm worried about is the circular argument of doom and defeat: · We don't have encrypted DNS requests, so why encrypt SNI? · We don't have encrypted SNI, so why encrypt DNS? · We don't have encrypted IP: why encrypt over TCP which can be RST'd? · Privacy is hard: let's go shopping. Maybe we should worry less about what we don't have yet: and instead, let's do what we can to build the things we don't have to make Eve's life a little harder in steps. Counterbalancing our wishes of course is how much is useful, practical, and technically feasible, especially at the scales Rich needs to worry about. And I empathise with his troubles there. (I seriously doubt any solution that requires iteration in linear-time with the number of hosted domains is workable, for example!) How can we protect the Hellos in general from Eve and Mallory as much as we can without making Bob's (or, to a lesser extent, Alice's) life too hard? Can we do that in a backward-compatible way? (I'm getting the vague sense that if we can't, things look more like TLS 2.0?) But I don't think we should give up on doing it just because it's a tough problem to solve. It's literally the first thing listed in the WG charter as a "do want" for TLS 1.3: so if we can't deliver that easily, then I think we need to try harder! I'll let you know if any sudden epiphanies arise. Anyone got any bright ideas? - -- /akr -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJTTCtiAAoJEOyEjtkWi2t6y0kP/1IIj9/ckBXw4Uqsxc2hi998 oPyAC6txJug13s1HyB0Xy0hpcCBiUpzVudbuboBTAc5gEixNFifT+P+GtcpTEcWB MqgRsQd5yCQGsEEzPIqQHwiuaY2bx/V1o4FT6bKqoKAr18aafUuUqD26IchEEVEy 4eaXwNtbAdVOOioke8CBRe4TvdSYg38wpAqMZIdEUlRAOb5wIJ0C+RWNOfLFW7CL OxA1xXNq0y1OOdoOH1rzgfxdi443GskKOWRdcz2NAvBfDQzakvz5NEe9kpF1CFgW fSBk5Z+uIONOlU5rWvXaGuNk+kuSIUquHyLo6pdkBgfD0qE2Z84jEcN83knEHT29 fRNl/OxTUbvjRUv5rfhwGNs/BgLKB/tX4X8hLYLAo6Z/cqdD/hXjZiTDAEEQaqgt Lp1lWqBNKXQbp7FaOC9+RcrETTMw4EW364To9zwn+xFZG94E2Duy0daowZZapVVM 0sNWvvtIMCC2a71NfNqi0BhGkk8ExGwUVsEj333H4ljBb6ywnzPeYpCHXpk9oVYP OFwhzHxlul7qAXq8O7gzuMkQs0BhqbiZR2Myur70kOcdiUkqRuuDh6j6x4W4q9gh YffPV9RrTHVgO+5WxyPk6WCHgKRc2OzSB7g9T7ccmQZ/lzRCrSbEfl89EHWe6wYo LJbuQo1ZYP6GXO63mFyX =wBko -----END PGP SIGNATURE-----
- [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI Martin Thomson
- Re: [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI Watson Ladd
- Re: [TLS] About encrypting SNI Russ Housley
- Re: [TLS] About encrypting SNI Eric Rescorla
- Re: [TLS] About encrypting SNI Brian Sniffen
- Re: [TLS] About encrypting SNI Alyssa Rowan
- Re: [TLS] About encrypting SNI Nick Mathewson
- Re: [TLS] About encrypting SNI Daniel Kahn Gillmor
- Re: [TLS] About encrypting SNI Sniffen, Brian
- Re: [TLS] About encrypting SNI Yoav Nir
- Re: [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI Seth David Schoen
- Re: [TLS] About encrypting SNI Nico Williams
- Re: [TLS] About encrypting SNI Watson Ladd
- Re: [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI Yoav Nir
- Re: [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI Watson Ladd
- Re: [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI Eric Rescorla
- Re: [TLS] About encrypting SNI Alyssa Rowan
- Re: [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI Martin Rex
- Re: [TLS] About encrypting SNI Eric Rescorla
- Re: [TLS] About encrypting SNI Eric Rescorla
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Eric Rescorla
- Re: [TLS] About encrypting SNI Tom Ritter
- Re: [TLS] About encrypting SNI Brian Sniffen
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI Eric Rescorla
- Re: [TLS] About encrypting SNI Watson Ladd
- Re: [TLS] About encrypting SNI Brian Sniffen
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Sniffen, Brian
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Alyssa Rowan
- Re: [TLS] About encrypting SNI Michael D'Errico
- Re: [TLS] About encrypting SNI James Cloos
- Re: [TLS] About encrypting SNI Jacob Appelbaum
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Erik Nygren
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Jacob Appelbaum
- [TLS] Forged RST (was: About encrypting SNI) Alyssa Rowan
- Re: [TLS] Forged RST (was: About encrypting SNI) Eric Rescorla
- Re: [TLS] About encrypting SNI Paul Lambert
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Erik Nygren
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] Forged RST (was: About encrypting SNI) Yoav Nir
- Re: [TLS] About encrypting SNI Sniffen, Brian
- Re: [TLS] Forged RST (was: About encrypting SNI) Erik Nygren
- Re: [TLS] About encrypting SNI James Cloos
- Re: [TLS] Forged RST Stephen Farrell
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] Forged RST (was: About encrypting SNI) Nico Williams
- Re: [TLS] About encrypting SNI Erik Nygren
- Re: [TLS] About encrypting SNI Sniffen, Brian
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Martin Thomson
- Re: [TLS] About encrypting SNI Brian Sniffen
- Re: [TLS] About encrypting SNI Eric Rescorla
- Re: [TLS] About encrypting SNI Sniffen, Brian
- Re: [TLS] About encrypting SNI Erik Nygren
- Re: [TLS] Forged RST (was: About encrypting SNI) Bill Frantz
- Re: [TLS] Forged RST (was: About encrypting SNI) Yoav Nir
- Re: [TLS] Forged RST (was: About encrypting SNI) Bill Frantz
- Re: [TLS] Forged RST (was: About encrypting SNI) Eric Rescorla
- Re: [TLS] Forged RST (was: About encrypting SNI) Watson Ladd
- Re: [TLS] Forged RST (was: About encrypting SNI) Eric Rescorla
- Re: [TLS] About encrypting SNI Marsh Ray
- Re: [TLS] About encrypting SNI Martin Rex
- Re: [TLS] About encrypting SNI David Holmes
- Re: [TLS] About encrypting SNI Brian Sniffen
- Re: [TLS] About encrypting SNI Marsh Ray
- Re: [TLS] About encrypting SNI Marsh Ray
- Re: [TLS] About encrypting SNI Nico Williams
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Michael D'Errico
- Re: [TLS] About encrypting SNI Watson Ladd
- Re: [TLS] About encrypting SNI Erik Nygren
- Re: [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI Daniel Kahn Gillmor
- Re: [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI - Traffic Analysis… Michael StJohns
- Re: [TLS] About encrypting SNI - Traffic Analysis… Nico Williams
- Re: [TLS] About encrypting SNI - Traffic Analysis… Stephen Farrell
- Re: [TLS] About encrypting SNI - Traffic Analysis… Martin Rex
- Re: [TLS] About encrypting SNI Nikos Mavrogiannopoulos
- Re: [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI Stephen Farrell
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI - Traffic Analysis… Martin Thomson
- Re: [TLS] About encrypting SNI - Traffic Analysis… Tom Ritter
- Re: [TLS] About encrypting SNI Brian Sniffen
- Re: [TLS] About encrypting SNI Fabrice
- Re: [TLS] About encrypting SNI Jacob Appelbaum
- Re: [TLS] About encrypting SNI Paul Lambert
- Re: [TLS] About encrypting SNI Yoav Nir
- Re: [TLS] About encrypting SNI Daniel Kahn Gillmor
- Re: [TLS] About encrypting SNI Tim Bray
- Re: [TLS] About encrypting SNI Jacob Appelbaum
- Re: [TLS] About encrypting SNI Paul Hoffman
- Re: [TLS] About encrypting SNI Viktor Dukhovni
- Re: [TLS] About encrypting SNI Brian Sniffen
- Re: [TLS] About encrypting SNI Yoav Nir