Re: [TLS] About encrypting SNI
Jacob Appelbaum <jacob@appelbaum.net> Tue, 20 May 2014 20:47 UTC
Return-Path: <jacob@appelbaum.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A3A061A07A4 for <tls@ietfa.amsl.com>; Tue, 20 May 2014 13:47:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CDvpC6fYo9Fq for <tls@ietfa.amsl.com>; Tue, 20 May 2014 13:47:13 -0700 (PDT)
Received: from mail-qg0-f42.google.com (mail-qg0-f42.google.com [209.85.192.42]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4F55E1A0797 for <tls@ietf.org>; Tue, 20 May 2014 13:47:13 -0700 (PDT)
Received: by mail-qg0-f42.google.com with SMTP id q107so1749008qgd.1 for <tls@ietf.org>; Tue, 20 May 2014 13:47:12 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=j33hj7hYde3r5XfoNenMjjXM9ADUlaEdHdiwbZQUZ/o=; b=hEe3npJYZQ3ire+DPOqZpW/DHUVkg4LGYTjNuLKx2HvwJ8w+Cn2qWY8LG6KH/NlGZm L2CdsBiaeLpQSySlTjH90HCRfAbYCJEVfWq3Yp6HT1MtutyFcP1rvZ6kAHgpq4tHsZpW 7hdzpWGHtRFZPwTe6byr+AgXWldlBExVFHsmiIiA9CCf7rUllt0U42BuC+UwVsofvXL6 Ka8M3MRUxrw7HLLw472MfWkh1wW3WRxBzyMelMTpS/mvTqozVh6mLPONYRzVTFTrV4U7 9i/OLuFm1BMawKY02VODUFY5osPt5UDV7aehBTW8LmfcBnDy2PXLygEmfWxvyLE1J+SS yAYw==
X-Gm-Message-State: ALoCoQn9J/x5QTKufVDJ4sBm4gl+0iNY9BeUnYKH2ehPtSL16ZP/lu+dEqPGiRslxyDRK/Q4ucCS
MIME-Version: 1.0
X-Received: by 10.224.66.74 with SMTP id m10mr61939606qai.14.1400618832200; Tue, 20 May 2014 13:47:12 -0700 (PDT)
Received: by 10.140.100.205 with HTTP; Tue, 20 May 2014 13:47:12 -0700 (PDT)
X-Originating-IP: [37.148.163.38]
In-Reply-To: <C81C96A7-0878-4C84-AB8C-CF0BF11841F2@gmail.com>
References: <0B76075A-D9F1-4780-8834-7FF0A1C82999@vigilsec.com> <20140425013239.7FE5E1ACE1@ld9781.wdf.sap.corp> <CAFggDF3u1R+540x6SM3Rt5u+GNQ44ZKozCoTSU1k+XMPU9V-tQ@mail.gmail.com> <C81C96A7-0878-4C84-AB8C-CF0BF11841F2@gmail.com>
Date: Tue, 20 May 2014 20:47:12 +0000
Message-ID: <CAFggDF3L2X545kNHbz-eu5FiGJ3EXrjjDR6VKcWZSSU1JFwjvw@mail.gmail.com>
From: Jacob Appelbaum <jacob@appelbaum.net>
To: Yoav Nir <ynir.ietf@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/FTldOxhioT5muvSE-owZX8X7Hjo
Cc: IETF TLS <tls@ietf.org>
Subject: Re: [TLS] About encrypting SNI
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 May 2014 20:47:14 -0000
On 5/20/14, Yoav Nir <ynir.ietf@gmail.com> wrote: > > On May 20, 2014, at 8:17 PM, Jacob Appelbaum <jacob@appelbaum.net> wrote: > >> On 4/25/14, Martin Rex <mrex@sap.com> wrote: >>> Russ Housley wrote: >>>>> I think Rich Salz has outlined very compelling reasons not to support >>>>> SNI. >>>> >>>> While I might quibble with a detail here or there, I do agree with the >>>> conclusion. If you need to protect SNI, then TOR or to a lesser extent >>>> TLS-in-TLS can be used. >>> >>> I agree. If you need TOR, you should use TOR. >>> >> >> This is curious - what specific property do you think you need from Tor? >> >> To protect from information leaks in TLS or other protocols? If so, >> sure, use Tor. >> >> One doesn't need the anonymity of Tor or the censorship circumvention >> of Tor per se - rather, this is basically compensating for a protocol >> that leaks plaintext information. > > The requirement for encrypted SNI is very simple. I want to browse certain > web sites such that if people knew I was browsing them it might get me in > trouble. We all like the example of a gay teenager in Uganda, but it could > just as well be an American browsing a website advocating Shari’a law for > all western countries landing in a no-flight list. TLS is about protecting things more than websites, isn't it? Or put another way: the internet is more than the world wide web! My requirement for encrypting SNI is different than yours, I suppose. I want to stop information leaks that are used by attackers to degrade or otherwise attack users of TLS. I also want to stop a passive attacker from learning specific details about my TLS session. I also want to ensure that I can detect an active attacker who wishes to learn this information before I might disclose it. Leaking information automatically for every connection to a passive attacker doesn't meet those requirements. > > Encrypting SNI would help if the “suspicious” web site is hosted by a > hosting service, and there are multiple innocuous sites on the same IP > address, and the traffic from the innocuous sites dominates the traffic to > the server, and traffic for this site is not distinguishable by other means > such as traffic analysis. That’s a lot of ‘if’s up there, and if any of > them fails, the adversary will know that I browsed the suspicious site. That is largely false, I think, There are many kinds of adversaries. As it stands, we're not even able to defend against attackers who can just watch a handshake. They can even perform a selective MITM before the handshake completes. We're not even into website fingerprinting techniques, which yes, I agree are a problem. Such fingerprinting issues are however a different problem in a family of problems, frankly. It is clear that TLS cannot protect you from practical realities about information theory. It would be nice if that was actually the issue at hand. Rather we're discussing an information leak that largely comes from a trend of centralization. E.g: we have a lot of hostnames on one IP address or a cluster of load balancers handling a bunch of different sites. As a result, we need to reveal the hostname to ensure that the server returns the correct certificate. Obviously, we need to reveal that information somewhere, I just don't buy that we should reveal it to the network. TLS should protect you from this information disclosure. Users that I have asked were surprised to learn that TLS reveals the hostname in their TLS connection. I think a good quote is: "What does that padlock even mean?!?" Amusing, right? Well, perhaps... but what does the security in TLS mean anyway? If it means leaking information everywhere so that more people are motivated to use Tor, what should Tor use as a transport protocol when it wants confidentiality? Not TLS? ... Argh. > AFAIK Tor provides a far more robust protection of this kind of activity. > Tor relies on TLS and does not have the problem that say, a CDN has with virtual hosting. And in any case, these choices in TLS will ensure that it is harder for Tor to provide needed robust protection for any activity. A Tor bridge, for example, is not listed in a public directory. The TLS distinguishers are what make it easy for a passive adversary to tag (say, with XKEYSCORE) those flows for further analysis. In the case of China and Iran, we see this analysis in the form of automated detection of bridges, where the censors actively probe suspect connections and then blackhole traffic when they feel it is positively a Tor bridge. This does not happen for all TLS connections and it would probably not currently scale for all TLS connections. If we could blend in, we'd be better off. We have an obfuscated protocol for defeating DPI but man, that is a hard road and in any case, it makes some assumptions that are (likely) wrong. It is hard to close that feedback loop without censorship - that is - sometimes the only detection of surveillance (aka our friend Eve) is with censorship. Which brings me to the case of the FVEY countries (UK, US, CA, NZ, AU) and their other partner nations (a longer list including SE, DE, etc - look it up) - they use XKEYSCORE to tag TLS traffic based on these distinguishers. That data is put into databases for later uses. It is also used for exploitation ala QUANTUM*. These TLS issues are really a problem and they are really being actively exploited in the wild. > So I’m with Martin on this. If you need Tor, use Tor. > And how will you get your copy of Tor, exactly? And how will you use that on devices where there is no Tor? And when you download your copy of Tor, what happens to the meta-data about those traffic flows? I guess it should be easy to pick out torproject.org from the SNI flowing across our TLS enabled website, regardless of all the other protections we might take... None of our TLS sessions are free (from surveillance and censorship) until they're all free (of distinguishers)... :-) All the best, Jacob
- [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI Martin Thomson
- Re: [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI Watson Ladd
- Re: [TLS] About encrypting SNI Russ Housley
- Re: [TLS] About encrypting SNI Eric Rescorla
- Re: [TLS] About encrypting SNI Brian Sniffen
- Re: [TLS] About encrypting SNI Alyssa Rowan
- Re: [TLS] About encrypting SNI Nick Mathewson
- Re: [TLS] About encrypting SNI Daniel Kahn Gillmor
- Re: [TLS] About encrypting SNI Sniffen, Brian
- Re: [TLS] About encrypting SNI Yoav Nir
- Re: [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI Seth David Schoen
- Re: [TLS] About encrypting SNI Nico Williams
- Re: [TLS] About encrypting SNI Watson Ladd
- Re: [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI Yoav Nir
- Re: [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI Watson Ladd
- Re: [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI Eric Rescorla
- Re: [TLS] About encrypting SNI Alyssa Rowan
- Re: [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI Martin Rex
- Re: [TLS] About encrypting SNI Eric Rescorla
- Re: [TLS] About encrypting SNI Eric Rescorla
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Eric Rescorla
- Re: [TLS] About encrypting SNI Tom Ritter
- Re: [TLS] About encrypting SNI Brian Sniffen
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI Eric Rescorla
- Re: [TLS] About encrypting SNI Watson Ladd
- Re: [TLS] About encrypting SNI Brian Sniffen
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Sniffen, Brian
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Alyssa Rowan
- Re: [TLS] About encrypting SNI Michael D'Errico
- Re: [TLS] About encrypting SNI James Cloos
- Re: [TLS] About encrypting SNI Jacob Appelbaum
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Erik Nygren
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Jacob Appelbaum
- [TLS] Forged RST (was: About encrypting SNI) Alyssa Rowan
- Re: [TLS] Forged RST (was: About encrypting SNI) Eric Rescorla
- Re: [TLS] About encrypting SNI Paul Lambert
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Erik Nygren
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] Forged RST (was: About encrypting SNI) Yoav Nir
- Re: [TLS] About encrypting SNI Sniffen, Brian
- Re: [TLS] Forged RST (was: About encrypting SNI) Erik Nygren
- Re: [TLS] About encrypting SNI James Cloos
- Re: [TLS] Forged RST Stephen Farrell
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] Forged RST (was: About encrypting SNI) Nico Williams
- Re: [TLS] About encrypting SNI Erik Nygren
- Re: [TLS] About encrypting SNI Sniffen, Brian
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Martin Thomson
- Re: [TLS] About encrypting SNI Brian Sniffen
- Re: [TLS] About encrypting SNI Eric Rescorla
- Re: [TLS] About encrypting SNI Sniffen, Brian
- Re: [TLS] About encrypting SNI Erik Nygren
- Re: [TLS] Forged RST (was: About encrypting SNI) Bill Frantz
- Re: [TLS] Forged RST (was: About encrypting SNI) Yoav Nir
- Re: [TLS] Forged RST (was: About encrypting SNI) Bill Frantz
- Re: [TLS] Forged RST (was: About encrypting SNI) Eric Rescorla
- Re: [TLS] Forged RST (was: About encrypting SNI) Watson Ladd
- Re: [TLS] Forged RST (was: About encrypting SNI) Eric Rescorla
- Re: [TLS] About encrypting SNI Marsh Ray
- Re: [TLS] About encrypting SNI Martin Rex
- Re: [TLS] About encrypting SNI David Holmes
- Re: [TLS] About encrypting SNI Brian Sniffen
- Re: [TLS] About encrypting SNI Marsh Ray
- Re: [TLS] About encrypting SNI Marsh Ray
- Re: [TLS] About encrypting SNI Nico Williams
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Michael D'Errico
- Re: [TLS] About encrypting SNI Watson Ladd
- Re: [TLS] About encrypting SNI Erik Nygren
- Re: [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI Daniel Kahn Gillmor
- Re: [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI - Traffic Analysis… Michael StJohns
- Re: [TLS] About encrypting SNI - Traffic Analysis… Nico Williams
- Re: [TLS] About encrypting SNI - Traffic Analysis… Stephen Farrell
- Re: [TLS] About encrypting SNI - Traffic Analysis… Martin Rex
- Re: [TLS] About encrypting SNI Nikos Mavrogiannopoulos
- Re: [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI Stephen Farrell
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI - Traffic Analysis… Martin Thomson
- Re: [TLS] About encrypting SNI - Traffic Analysis… Tom Ritter
- Re: [TLS] About encrypting SNI Brian Sniffen
- Re: [TLS] About encrypting SNI Fabrice
- Re: [TLS] About encrypting SNI Jacob Appelbaum
- Re: [TLS] About encrypting SNI Paul Lambert
- Re: [TLS] About encrypting SNI Yoav Nir
- Re: [TLS] About encrypting SNI Daniel Kahn Gillmor
- Re: [TLS] About encrypting SNI Tim Bray
- Re: [TLS] About encrypting SNI Jacob Appelbaum
- Re: [TLS] About encrypting SNI Paul Hoffman
- Re: [TLS] About encrypting SNI Viktor Dukhovni
- Re: [TLS] About encrypting SNI Brian Sniffen
- Re: [TLS] About encrypting SNI Yoav Nir