[TLS] RFC 9849 clarifying split mode security
Florentin Rochet <florentin.rochet@unamur.be> Fri, 03 April 2026 10:55 UTC
Return-Path: <florentin.rochet@unamur.be>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id C42C2D600273 for <tls@mail2.ietf.org>; Fri, 3 Apr 2026 03:55:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1775213748; bh=h3gLXY4qX47J3EDuex/2aHTOd92nlIA60GW44TIcGSY=; h=Date:To:From:Subject; b=XzY7JqjrMcmC4XZoI715/3p2CUhIGYDGbVgk+mIBuWpCxWfRJQ89u4vb0NkPAfIqc CEGDCqup8aAaQijHNtT27j/le2P97jf2/QkoccZofDSYoy330pmDOnK8g4UeFx/xEM AtPc1BNGZ91wjTT9IeH1dUiILrk+NojdIB4pGZPY=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (1024-bit key) header.d=unamur.be
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JW1PBlAehYtU for <tls@mail2.ietf.org>; Fri, 3 Apr 2026 03:55:48 -0700 (PDT)
Received: from OSPPR02CU001.outbound.protection.outlook.com (mail-norwayeastazon11023117.outbound.protection.outlook.com [40.107.159.117]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id EE15CD60026E for <tls@ietf.org>; Fri, 3 Apr 2026 03:55:47 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=nlLD9tQFFl2RG08mYeJqdj7DDFpvYqHn1q4PuNPv3wpCk8lXjqVZa/LXgimMLdrP7/PS+D7Vd+cFWY0yReJW87pduq7pjnbkFn2XY38pMv+eUneJEOEeHJkH8Cr7B2FI0iClYQcEljFoQ2dKDTdVcO6e8h7zK4t7UtZuiOOnZ4lG0jOlh5aVLkrsuxx21SJyZeBnRDWeb22TuPN0UWFfUB+e/goC4vRM2XdqRhRgGZ3rDD6k10mw79Ler3wiYvmqeNzW1t9OCCuvA2toL4lD12Prbp1PlsMH7xBL4PSoYRfr35bMD+cho5j87b2Rra3cj7xfvIdprHhDwRi2oiGDGQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=7iqXZ+c+jfHtrzpeSAXzjtGliToAiRQiUw7D0z9xL+A=; b=boiEEme4bcMcTGJzYT+nlTfpBNEHutnG87rZ78sNNS2cObPOBpeCYUqz/7XBulDs54KEyc6ec0q9qtoKQZ6z9qbmJKLDhlVylskvbg8QhyPKCpxqlF+bIBEwb8TNM6tQN3osNYY3Zp00qfVKBZ2zR8J9WXcgo8THH9Re5E4W7CkzoBgX5OaZeJ0vfa6Wyej5AF9D2pw+xZA8MmiHvyE1HQZLRQk8YN3PqXhlqfVSOJtvg92KqdoP4XYmFfJYUZWLxx0rak9j9u5xvjHIvTHnk0Qt3B8qPLZ3rWnsAr9tmrc1if55i298WrJpozpyI9PK9eBgZVPZDHEfWX9CSByfWA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=unamur.be; dmarc=pass action=none header.from=unamur.be; dkim=pass header.d=unamur.be; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=unamur.be; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=7iqXZ+c+jfHtrzpeSAXzjtGliToAiRQiUw7D0z9xL+A=; b=U5H+GBy43lUnakgBEJIcT6lmTMsaS/owl/FojmNnlONck+lagjxvBigIq1CmwmlKuoXqQfLD3xv0OM5QYtwUVqwZWRH4TKwE4Gq4QsBamKFmdOqwL5HwaUkX8B2unJDjsrQkrxS+rPth9O67aELUqkufMsWGAxX7UMlBSTh7LZ8=
Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=unamur.be;
Received: from AS2PR07MB8953.eurprd07.prod.outlook.com (2603:10a6:20b:550::19) by GV1PR07MB9141.eurprd07.prod.outlook.com (2603:10a6:150:a7::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9769.18; Fri, 3 Apr 2026 10:55:37 +0000
Received: from AS2PR07MB8953.eurprd07.prod.outlook.com ([fe80::72c8:c1e1:e9e9:ba72]) by AS2PR07MB8953.eurprd07.prod.outlook.com ([fe80::72c8:c1e1:e9e9:ba72%3]) with mapi id 15.20.9769.016; Fri, 3 Apr 2026 10:55:37 +0000
Message-ID: <78e2482a-5599-4d67-ba47-feadaf069c88@unamur.be>
Date: Fri, 03 Apr 2026 12:55:37 +0200
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: tls@ietf.org
From: Florentin Rochet <florentin.rochet@unamur.be>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
X-ClientProxiedBy: AS4P190CA0056.EURP190.PROD.OUTLOOK.COM (2603:10a6:20b:656::27) To AS2PR07MB8953.eurprd07.prod.outlook.com (2603:10a6:20b:550::19)
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: AS2PR07MB8953:EE_|GV1PR07MB9141:EE_
X-MS-Office365-Filtering-Correlation-Id: 099f029e-a27d-42d9-cb05-08de916f8a07
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|366016|786006|376014|10070799003|56012099003|18002099003;
X-Microsoft-Antispam-Message-Info: mlip2/ug49oOfvVvx2bIwSFNotHDgiZxjaQjqvsFP5Xe6JqwRjKCHwCMa65tMhMX2yeS5Fp1k8mV3pasP7SQ245rQpOxL9CaxYBVFXhk4EphoTtkEC4+ku2dJlYtodnHiAUEGLsv7SJRa82qkRmhbovamz+31YDeEmuCwwOEUUIDNloQO1Tib1afUjLfu1JTqlSpzo4vxP35NsvypLvV8n60mExiQeVH5zK+rnoLZ+YeouVHL46/KlWmVhurebRbbZLnOIwRSIb9Oe4s/JTtXJXefSvJwymdYJkop5YwnNnzRkTCm5w5tNxsZ2UNG634aN+Njz06ikJBudfw1gvwUbkOL1movLpfeVySN53s4GHTqRKtnr2u3oLKFA3Eiz79RhVtmwAY2bdSvdgaAaWumSJRhwGRAD4H/oDqeoZO226mxHKJdM3bkgaFtU8wTaSyZ9FeiyrM8ZoNjXpgbMAmVNZU+MdHVH7Img2OxKQtA9nkjhP3wo2uDp/XDBjG9JVU+30nT2MZCtQPjTWJIxPFp3GBPeDUcGwF1m/l4Zwss5ZpsLEy4jCRFVKsWs/wMXY91uohMjSKFi+LjTqfuqbM0wFWoQ+4X2lnrDwYzK5pR1tc1SOdce7nrk+qEs/a3e0adEmCRjt8bInZsmItUG7qx4xnVyu4i3jj028Xcpdfwa5isI1V7gFyJRf2U5MVrcnUrGKiEWAqIUlBX5oPRYodpFrVKKCDy5PDCrFCNkFs+yE=
X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:AS2PR07MB8953.eurprd07.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(366016)(786006)(376014)(10070799003)(56012099003)(18002099003);DIR:OUT;SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 2
X-MS-Exchange-AntiSpam-MessageData-0: uz2tXupET3RfmLHR7ySTeDi2hV2uCi8rrHVjGmeiy4Y/XEB1KfzjLDdYyEhFEnxaLKKukMF/r7xX40IKZFVYNWIsBEWCwqRBy+1wzWcGbxZ3tWIsPCPyIPJYkkM4p5znJOAIZK0fCy8s2dM+rFlNtxVc0Y48/lFAlp/lUagFWufktdDFrjAW4Ibg7y8vP6UCiszuQ4iekO9fJnyWNR73liTokDc869R4HKNPpxz5zamKWsatGiew/ASTfOaOK+/ZdcYnEks6S4ChlLMpz5u9Yuco1pX3/gVjbwqYmy5lsM3tM/zgJGp+WIqRMTys3ZlvI1DP9q0XyWKDIP8E+rpKSw1UEzV5XqopQDZMCro2Pf0l25R++8+D21ZLHO9rHsSPssXHBDQjGD4phpno3IwRPHwlemIHo4YTgQWcJ+x4vqMHlHVyC8Tp55IxhnB4q0GGsdhA9GtyDkZDqu/iublVgajFAsTOLwX1CStnv3IEwLAxBAGf75jnwexEGnmSxwKRhH7vj9YHX2rRpkWHVM1kkwMOQ7klCsPM8z8PelUuZtCsi9oc/d84ypU2j6q+JcR90fMr3hLA7sj0GXHkRfEl87n+Z9r3O8/euxc72GIOB+crudcvfx0NkuGCReMCR4v1kcn421pCSt0PNdLDzCi7o5O1umD1NTkVq9i2Dlzwvj/sTrP1hqyFL24At69Q2Vr8KxM4LEzqZhgNtzpRwSIbbRQ5s2eQ2CDTzWtsLzMBsaBwdF+x07W4KlhVpv4n3Gkfvz0jLg9PzRfPDWf4yqWte0eTFaikt5QEaFUBkoUNPDGembwEMvUctZzGuhWq9L/SLemcRzsh3F7Xd1YV7C86QV3fW1kxoNvBV3Kl/iDiW+Y34zXf6qTEpxBJWBtceQ5/mo0+uG9sCAkhAFM2lDl02W7+i1WSVSjcvdd8Bi8JrUN/9dWWtG00ZFeKY4AhCovjla673n+TGSLKbjVBJuEyjnDQrhubAUBvdUXbs8ij1RINO8LyOBQ4lWP3Fs2PJ0DNmAyzu74+G76RiQC++y8O/6S94wZaCt7GhhVykeBuvAy3+6IgIVXF2A5UowJhZ5ikJZM7slyyJtoOWKt4SnFqmjmnwYn0znBzL8QeWsZHJ2C7VkSoc8yocy6kyAPUEfCepBbjWpx6xW6edabVoJjAUk+jhQV7ge9Uup4L5W58erozHNn6X2UiBqHcY4sbMrgEYbdRuBpCnFCu7X0DaQcVNJGpbjXsuCULxSq46JAvBavGcBBV3lGPd12T/Lw7OVmPSm2aaz3DWKtf5/xLZi7h+gnODXQEceyG5wICOpOkhvF3JlDBd3KLHXvLGxjn9JAsuqSo64+NERwoWVHizFy7aaNVY9DTp9uGcSi2NDxPeJ0P7nSTJqsrsa7O/dWE8x4OYj8GlvaBJSwyraEUIk/jV5IEKRsIGl3US0aXtnajYwXO1S/Sqwio7hKIF98jGwTVKj0wt1+0MZHzFGDfDRnopYl19kdgBhYvDerrv6XOgfWUMK2VxD5Hcq0M/UrFKDSm7h7aBh3ltOS2S2iK0DwOZcIBpMoLSZz1BybOrc5l3Ph9aSlveejnFypQ1gK7VmUf1xDsVsauqmcvUBS6DpV+dNCAKaliUbylkmDEMNl9yUDYcIvbtxa8iHDzOE3c7ktFmM9GU3fwk01LJCAfkq5e4rJlNzDa+Pt9lmeFRX3yDy496DzEJZy9AP8M4fGQHlewXwzVzaznHKBz1BkETeHbRrVUvgy5CsGJFblxHobtwOC6fXgrdpfAZEeHQWlN6eoNapQj0M76
X-MS-Exchange-AntiSpam-MessageData-1: bC+dFWixl6c0kfoxbWCC0nOrspW/Vo6LWSo=
X-OriginatorOrg: unamur.be
X-MS-Exchange-CrossTenant-Network-Message-Id: 099f029e-a27d-42d9-cb05-08de916f8a07
X-MS-Exchange-CrossTenant-AuthSource: AS2PR07MB8953.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 03 Apr 2026 10:55:37.7913 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 5f31c5b4-f2e8-4772-8dd6-f268037b1eca
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: ZgCrDoR346vOfZIwg4VRczTp6LbQl0jwwI/4G8l1JkOD58eoazMF7YgemRDy2ta8slr3FZ61M22FiW7cUq6w8ZBROEMAt1IOOHlwKUWHMYY=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: GV1PR07MB9141
Message-ID-Hash: HQDVJV6R7RITYOA54NTPFWC4C3Y2JKUV
X-Message-ID-Hash: HQDVJV6R7RITYOA54NTPFWC4C3Y2JKUV
X-MailFrom: florentin.rochet@unamur.be
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] RFC 9849 clarifying split mode security
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/GuifN3u8CRAJopnFkfHZBuM18SQ>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>
Dear everyone, First of all, many thanks to all the people involved in RFC 9849. This is a very nice privacy-preserving advancement for networking protocols. Reading the RFC, I am being confused by the security guarantee(s) and the distinction existing between the split mode and the shared mode regarding their threat model, if any exists? Regarding the shared mode, we terminate the connection at the client-facing server and we have then to trust it for privacy of the data stream. Ok. Regarding the split-mode, the reverse proxy forwards the handshake to the backend server. This does not seem to provide any added security value compared to the shared mode, at least within the TLS 1.3 adversarial model assuming that any on-path middlebox can act as an active attacker. Worse, this could mislead deployment and users to believe there is a security benefit to the split-mode. In split mode, I would consider the client-facing server as an untrusted middlebox for data stream privacy. But a malicious client-facing server should be able to MITM any client throwing an ECHClientHello by first having requested itself certificates for the backend domains that it is supposed to provide service to. That is, since similarly to the shared mode, the backend domain owner has to configure the DNS to point to the client-facing server. The client-facing server is then able to acquire valid certificates using the ACME protocol, and terminate the connection while the backend would expect split mode. Technically, it does not appear to me that either the client or the backend would understand that the connection is being MITM'ed; potentially, additional certificates would appear in CT logs, but that's about it. So, I think I need clarification on the expected threat model difference between split mode and shared mode. From section 10.1, I read the following: > Passive and active attackers can exist anywhere in the network, > including between the client and client-facing server, as well as > between the client-facing and backend servers when running ECH in > split mode. However, for split mode in particular, ECH makes two > additional assumptions: > > 1. The channel between each client-facing and each backend server is > authenticated such that the backend server only accepts messages > from trusted client-facing servers. The exact mechanism for > establishing this authenticated channel is out of scope for this > document. It looks like the client-facing server is excluded from the potential attackers, and is "trusted", similarly to the shared mode. Then what is the usefulness of the split mode? Why do we need it, what does it bring compared to shared mode (security-wise)? Then I read the following statement within the RFC: > Given this threat model, the primary goals of ECH are as follows. > > 1. Security preservation. Use of ECH does not weaken the security > properties of TLS without ECH. In split mode this statement appears only true if we trust the client-facing server. But since as the RFC says, the client-facing server and backend server are "separated" in split mode. Would that trust assumption always hold in such a separated context? Or will we have deployment that incorrectly claim that they provide end-to-end security because they use split mode, and use that argument to say that they're better than Cloudflare? Thanks in advance to anyone pointing flaw(s) in the reasoning, or confirming the confusion :-) Best, Florentin
- [TLS] RFC 9849 clarifying split mode security Florentin Rochet
- [TLS] Re: RFC 9849 clarifying split mode security Ben Schwartz
- [TLS] Re: RFC 9849 clarifying split mode security Florentin Rochet
- [TLS] Re: RFC 9849 clarifying split mode security Ben Schwartz
- [TLS] Re: RFC 9849 clarifying split mode security Muhammad Usama Sardar
- [TLS] Re: RFC 9849 clarifying split mode security Florentin Rochet
- [TLS] Re: RFC 9849 clarifying split mode security Ben Schwartz
- [TLS] Re: RFC 9849 clarifying split mode security Vinicius Fortuna [vee-NEE-see.oos]