IETF Logo Mail Archive

Re: [TLS] Alternative ESNI?

Viktor Dukhovni <ietf-dane@dukhovni.org> Sat, 15 December 2018 21:06 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D7711130E50 for <tls@ietfa.amsl.com>; Sat, 15 Dec 2018 13:06:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ld3XodNwetHp for <tls@ietfa.amsl.com>; Sat, 15 Dec 2018 13:06:11 -0800 (PST)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 28F3C130E4F for <tls@ietf.org>; Sat, 15 Dec 2018 13:06:10 -0800 (PST)
Received: from [192.168.1.161] (unknown [192.168.1.161]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by straasha.imrryr.org (Postfix) with ESMTPSA id 40FEBAFDC7 for <tls@ietf.org>; Sat, 15 Dec 2018 16:06:07 -0500 (EST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\))
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
In-Reply-To: <4d16124a-11ae-592c-638b-4462ce39fd43@cs.tcd.ie>
Date: Sat, 15 Dec 2018 16:06:06 -0500
Content-Transfer-Encoding: quoted-printable
Reply-To: IETF TLS WG <tls@ietf.org>
Message-Id: <A231F763-E57E-42A6-A803-F9F54F064C4D@dukhovni.org>
References: <20181215025346.GJ15561@localhost> <d297696e-5199-779a-697c-a5c3249555f2@cs.tcd.ie> <970F5B55-A45D-4DFF-9D9D-C9E310D8E331@dukhovni.org> <4d16124a-11ae-592c-638b-4462ce39fd43@cs.tcd.ie>
To: IETF TLS WG <tls@ietf.org>
X-Mailer: Apple Mail (2.3445.102.3)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/DsNCDoPOiQCv-MIjBKnnygB8Cy4>
Subject: Re: [TLS] Alternative ESNI?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 15 Dec 2018 21:06:15 -0000

[ After this comment, stepping back for a while, I want to hear what others
  think about the general shape of the alternative... ]

> On Dec 15, 2018, at 3:40 PM, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote:
> 
>> For opportunistic discovery, yes also DNS, but the DNS record would
>> just hold a stable indication of support for the protocol.
> 
> Isn't the easiest attack on ESNI then to just block visibility
> of that boolean at which point a client will use SNI and not ESNI
> and it's game-over? That seems to imply the HRR scheme isn't
> any less dependent on DNS really, as I think ekr implied. (The
> HRR scheme could be much nicer in terms of operating DNS, but not
> more secure.)

The HRR scheme has better support for out-of-band local policy, that
resists the above attack, since the data that would be obtained via
DNS is comparatively stable, and could just be a local setting in
the user agent.

If one is willing to forgo authenticating the fronting server
(trade-off), the use of ESNI could simply be on by default,
discovered in-band by observing whether the server's HRR carries
an appropriate extension.

  * Send sentinel client key_share that triggers HRR
  * Omit all sensitive extensions.
  * Send sentinel SNI
  * Check server HRR for extension that indicates support
    for encrypted extensions in client HELLO after HRR
  * If present, encrypt all the client extensions including SNI.
  * If absent, then proceed as before.

In this mode, there are no new DNS lookups, but we end up doing
an extra round-trip for all servers, even those that are not behind
CDNs and don't support the extension.

That is of course great news for not standing out of the crowd,
all traffic looks the same whether behind a fronting CDN or not,
*but* this forgoes the opportunity to learn (via a secure out
of band channel) the fronting server's name and authenticate it,
so the MiTM SNI disclosure attack is back.

We can trade-off broad deployment against active attack resistance,
but it seems difficult to have both.  I'd be inclined to favour
broad deployment, and rely on Tor and the like (in combination
with ESNI) to make SNI disclosure through active attack less
useful to the attacker.

-- 
-- 
	Viktor.

v2.23.0 | Report a Bug | By Email