IETF Logo Mail Archive

Re: [TLS] About encrypting SNI

Watson Ladd <watsonbladd@gmail.com> Tue, 15 April 2014 05:21 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 863541A0714 for <tls@ietfa.amsl.com>; Mon, 14 Apr 2014 22:21:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.7
X-Spam-Level:
X-Spam-Status: No, score=0.7 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oA3zvG0Rh-Bj for <tls@ietfa.amsl.com>; Mon, 14 Apr 2014 22:21:50 -0700 (PDT)
Received: from mail-yk0-x229.google.com (mail-yk0-x229.google.com [IPv6:2607:f8b0:4002:c07::229]) by ietfa.amsl.com (Postfix) with ESMTP id 9EBCF1A0338 for <tls@ietf.org>; Mon, 14 Apr 2014 22:21:50 -0700 (PDT)
Received: by mail-yk0-f169.google.com with SMTP id 142so8470532ykq.0 for <tls@ietf.org>; Mon, 14 Apr 2014 22:21:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=mboPcz7xdWVNsf02VUYMSZAig/7tJJe3PnM78DIaBrQ=; b=i+IumJTVMZfj93DvBaPdVWJkzMgiI/nEcp+iG7iUcn6mkSNsalWy5TOgTZI4BlBvp2 Op2CiaOJpWKhVQkHGVcUuPruj9Odkno9hAlPEwUF/+3VKZVHLcErV2vHy3WjAFu/qLac 2iWZ6cVAWTddL4VR3R1A5RRqpXtO9OfrCjtT6Rf6Migbcf6fM39ng4OC9KKXTU4AKUx2 1dyiwDFusVwCvL+d4voVirhrPsv+zfAsJ04di641ZXm1yfKOABdI4F49/rwfFm8sZ8Hr egiPBl3BoHkO7CbeRi4Wh+ndI2U+70ihdLlQUtpRw8GCK74CBOl+MveKq6u/BM9XHTN7 pznA==
MIME-Version: 1.0
X-Received: by 10.236.135.104 with SMTP id t68mr63850543yhi.35.1397539307787; Mon, 14 Apr 2014 22:21:47 -0700 (PDT)
Received: by 10.170.63.197 with HTTP; Mon, 14 Apr 2014 22:21:47 -0700 (PDT)
In-Reply-To: <2A0EFB9C05D0164E98F19BB0AF3708C7120B490162@USMBX1.msg.corp.akamai.com>
References: <2A0EFB9C05D0164E98F19BB0AF3708C7120A04ED40@USMBX1.msg.corp.akamai.com> <534C3D5A.3020406@fifthhorseman.net> <474FAE5F-DE7D-4140-931E-409325168487@akamai.com> <D2CB0B72-A548-414C-A926-A9AA45B962DA@gmail.com> <2A0EFB9C05D0164E98F19BB0AF3708C7120B490162@USMBX1.msg.corp.akamai.com>
Date: Mon, 14 Apr 2014 22:21:47 -0700
Message-ID: <CACsn0cmusUc3Rsb2Wof+dn0PEg3P0bPC3ZdJ75b9kkZ5LDGu_A@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: "Salz, Rich" <rsalz@akamai.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/J06e91BdZ4kDdMAeAwhWTt5tdMU
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] About encrypting SNI
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Apr 2014 05:21:59 -0000

On Mon, Apr 14, 2014 at 8:08 PM, Salz, Rich <rsalz@akamai.com> wrote:
>> I think Alyssa Rowan's concern elsewhere in this thread about the "circular argument of doom and defeat" applies here too.
>
> I think it's a little too simple a way to view things. Our goal isn't to make Eve's job as hard as possible, it's to make the best set of trade-offs we can, for the ovewrall Internet.  As myself and others have pointed out, encrypting the SNI has some real drawbacks and might not accomplish what is desired. If we decide to not support it, it can purely be an evaluation of the trade-offs.

It all depends on the mechanism that is proposed, and how that works.
The mechanism in the current TLS 1.3 doesn't actually work: a censor
can break a few connections to see what you are looking at, then take
a look himself to see if they want to censor it. Even if we did have a
magic mechanism that encrypted the handshake without knowing to whom
it was to be encrypted (I'm sure someone will dig up an IACR paper
that presents a wildly impractical solution using fully homeomorphic
encryption) a censor could probably take a good guess as to what
everyone was looking at, especially from interaction patterns.

Censors are generally insensitive to collateral damage. Turkey denied
access to all of Twitter, and Pakistan all of Youtube (for everyone
worldwide once) over a small amount of subversive content on each. Not
to put anyone on the spot, but if you think a major hosting provider
is going to bat for you while getting bomb threats and periodically
sitewide blocks, you're nuts. They aren't. It isn't their business,
and the ones who make it their business are usually collateral damage
for a censor as people who don't want to take the cost of getting
blocked.

Frequently changing IP address and using DNS to send people there
doesn't work: the censor knows how to find DNS entries also. I'm not
sure what the threat that encrypted SNI is supposed to protect against
is: a passive observer looking for connections to a website on shared
hosting, insensitive to collateral damage? A merely curious teenager
armed only with wireshark, and no idea of what the websites look like?
The Great Firewall of China?

Finally, a sufficiently motivated censor could cut off all TLS 1.3
entirely if they couldn't break it. Browsers would fallback to TLS
1.2. Some censors are that motivated: they threaten publishers with
death and dismemberment

Now, the best mechanism I can think off would be to use DNS to preload
a per-IP SNI encryption key, or have the handshake optionally involve
getting one. But I still can't figure out how to authenticate the
gotten key without a lot of complexity. The best solution is for the
client and server to do a DH, then pass the desired website (which
might get you investigated when the initial handshake is intercepted),
and have that cert sign the handled DH, then go back and do a TLS
connection. Ugh.

Make a clean, per-IP solution, and you solve the big problem. However,
I think censors are going to not care about collateral damage, and may
very well send a clear message by blocking TLS 1.3.

I would love to have a nice, simple, censorship resistance
improvement. Maybe there is low-hanging fruit we missed. It's worth
still thinking about. But at this moment I don't see a useful way to
achieve the goal.

Sincerely,
Watson Ladd



>
>         /r$
>
> --
> Principal Security Engineer
> Akamai Technology
> Cambridge, MA
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls



-- 
"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin

v2.23.0 | Report a Bug | By Email