Re: [TLS] About encrypting SNI
Watson Ladd <watsonbladd@gmail.com> Tue, 15 April 2014 05:21 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 863541A0714 for <tls@ietfa.amsl.com>; Mon, 14 Apr 2014 22:21:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.7
X-Spam-Level:
X-Spam-Status: No, score=0.7 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oA3zvG0Rh-Bj for <tls@ietfa.amsl.com>; Mon, 14 Apr 2014 22:21:50 -0700 (PDT)
Received: from mail-yk0-x229.google.com (mail-yk0-x229.google.com [IPv6:2607:f8b0:4002:c07::229]) by ietfa.amsl.com (Postfix) with ESMTP id 9EBCF1A0338 for <tls@ietf.org>; Mon, 14 Apr 2014 22:21:50 -0700 (PDT)
Received: by mail-yk0-f169.google.com with SMTP id 142so8470532ykq.0 for <tls@ietf.org>; Mon, 14 Apr 2014 22:21:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=mboPcz7xdWVNsf02VUYMSZAig/7tJJe3PnM78DIaBrQ=; b=i+IumJTVMZfj93DvBaPdVWJkzMgiI/nEcp+iG7iUcn6mkSNsalWy5TOgTZI4BlBvp2 Op2CiaOJpWKhVQkHGVcUuPruj9Odkno9hAlPEwUF/+3VKZVHLcErV2vHy3WjAFu/qLac 2iWZ6cVAWTddL4VR3R1A5RRqpXtO9OfrCjtT6Rf6Migbcf6fM39ng4OC9KKXTU4AKUx2 1dyiwDFusVwCvL+d4voVirhrPsv+zfAsJ04di641ZXm1yfKOABdI4F49/rwfFm8sZ8Hr egiPBl3BoHkO7CbeRi4Wh+ndI2U+70ihdLlQUtpRw8GCK74CBOl+MveKq6u/BM9XHTN7 pznA==
MIME-Version: 1.0
X-Received: by 10.236.135.104 with SMTP id t68mr63850543yhi.35.1397539307787; Mon, 14 Apr 2014 22:21:47 -0700 (PDT)
Received: by 10.170.63.197 with HTTP; Mon, 14 Apr 2014 22:21:47 -0700 (PDT)
In-Reply-To: <2A0EFB9C05D0164E98F19BB0AF3708C7120B490162@USMBX1.msg.corp.akamai.com>
References: <2A0EFB9C05D0164E98F19BB0AF3708C7120A04ED40@USMBX1.msg.corp.akamai.com> <534C3D5A.3020406@fifthhorseman.net> <474FAE5F-DE7D-4140-931E-409325168487@akamai.com> <D2CB0B72-A548-414C-A926-A9AA45B962DA@gmail.com> <2A0EFB9C05D0164E98F19BB0AF3708C7120B490162@USMBX1.msg.corp.akamai.com>
Date: Mon, 14 Apr 2014 22:21:47 -0700
Message-ID: <CACsn0cmusUc3Rsb2Wof+dn0PEg3P0bPC3ZdJ75b9kkZ5LDGu_A@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: "Salz, Rich" <rsalz@akamai.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/J06e91BdZ4kDdMAeAwhWTt5tdMU
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] About encrypting SNI
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Apr 2014 05:21:59 -0000
On Mon, Apr 14, 2014 at 8:08 PM, Salz, Rich <rsalz@akamai.com> wrote: >> I think Alyssa Rowan's concern elsewhere in this thread about the "circular argument of doom and defeat" applies here too. > > I think it's a little too simple a way to view things. Our goal isn't to make Eve's job as hard as possible, it's to make the best set of trade-offs we can, for the ovewrall Internet. As myself and others have pointed out, encrypting the SNI has some real drawbacks and might not accomplish what is desired. If we decide to not support it, it can purely be an evaluation of the trade-offs. It all depends on the mechanism that is proposed, and how that works. The mechanism in the current TLS 1.3 doesn't actually work: a censor can break a few connections to see what you are looking at, then take a look himself to see if they want to censor it. Even if we did have a magic mechanism that encrypted the handshake without knowing to whom it was to be encrypted (I'm sure someone will dig up an IACR paper that presents a wildly impractical solution using fully homeomorphic encryption) a censor could probably take a good guess as to what everyone was looking at, especially from interaction patterns. Censors are generally insensitive to collateral damage. Turkey denied access to all of Twitter, and Pakistan all of Youtube (for everyone worldwide once) over a small amount of subversive content on each. Not to put anyone on the spot, but if you think a major hosting provider is going to bat for you while getting bomb threats and periodically sitewide blocks, you're nuts. They aren't. It isn't their business, and the ones who make it their business are usually collateral damage for a censor as people who don't want to take the cost of getting blocked. Frequently changing IP address and using DNS to send people there doesn't work: the censor knows how to find DNS entries also. I'm not sure what the threat that encrypted SNI is supposed to protect against is: a passive observer looking for connections to a website on shared hosting, insensitive to collateral damage? A merely curious teenager armed only with wireshark, and no idea of what the websites look like? The Great Firewall of China? Finally, a sufficiently motivated censor could cut off all TLS 1.3 entirely if they couldn't break it. Browsers would fallback to TLS 1.2. Some censors are that motivated: they threaten publishers with death and dismemberment Now, the best mechanism I can think off would be to use DNS to preload a per-IP SNI encryption key, or have the handshake optionally involve getting one. But I still can't figure out how to authenticate the gotten key without a lot of complexity. The best solution is for the client and server to do a DH, then pass the desired website (which might get you investigated when the initial handshake is intercepted), and have that cert sign the handled DH, then go back and do a TLS connection. Ugh. Make a clean, per-IP solution, and you solve the big problem. However, I think censors are going to not care about collateral damage, and may very well send a clear message by blocking TLS 1.3. I would love to have a nice, simple, censorship resistance improvement. Maybe there is low-hanging fruit we missed. It's worth still thinking about. But at this moment I don't see a useful way to achieve the goal. Sincerely, Watson Ladd > > /r$ > > -- > Principal Security Engineer > Akamai Technology > Cambridge, MA > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls -- "Those who would give up Essential Liberty to purchase a little Temporary Safety deserve neither Liberty nor Safety." -- Benjamin Franklin
- [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI Martin Thomson
- Re: [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI Watson Ladd
- Re: [TLS] About encrypting SNI Russ Housley
- Re: [TLS] About encrypting SNI Eric Rescorla
- Re: [TLS] About encrypting SNI Brian Sniffen
- Re: [TLS] About encrypting SNI Alyssa Rowan
- Re: [TLS] About encrypting SNI Nick Mathewson
- Re: [TLS] About encrypting SNI Daniel Kahn Gillmor
- Re: [TLS] About encrypting SNI Sniffen, Brian
- Re: [TLS] About encrypting SNI Yoav Nir
- Re: [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI Seth David Schoen
- Re: [TLS] About encrypting SNI Nico Williams
- Re: [TLS] About encrypting SNI Watson Ladd
- Re: [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI Yoav Nir
- Re: [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI Watson Ladd
- Re: [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI Eric Rescorla
- Re: [TLS] About encrypting SNI Alyssa Rowan
- Re: [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI Martin Rex
- Re: [TLS] About encrypting SNI Eric Rescorla
- Re: [TLS] About encrypting SNI Eric Rescorla
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Eric Rescorla
- Re: [TLS] About encrypting SNI Tom Ritter
- Re: [TLS] About encrypting SNI Brian Sniffen
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI Eric Rescorla
- Re: [TLS] About encrypting SNI Watson Ladd
- Re: [TLS] About encrypting SNI Brian Sniffen
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Sniffen, Brian
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Alyssa Rowan
- Re: [TLS] About encrypting SNI Michael D'Errico
- Re: [TLS] About encrypting SNI James Cloos
- Re: [TLS] About encrypting SNI Jacob Appelbaum
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Erik Nygren
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Jacob Appelbaum
- [TLS] Forged RST (was: About encrypting SNI) Alyssa Rowan
- Re: [TLS] Forged RST (was: About encrypting SNI) Eric Rescorla
- Re: [TLS] About encrypting SNI Paul Lambert
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Erik Nygren
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] Forged RST (was: About encrypting SNI) Yoav Nir
- Re: [TLS] About encrypting SNI Sniffen, Brian
- Re: [TLS] Forged RST (was: About encrypting SNI) Erik Nygren
- Re: [TLS] About encrypting SNI James Cloos
- Re: [TLS] Forged RST Stephen Farrell
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] Forged RST (was: About encrypting SNI) Nico Williams
- Re: [TLS] About encrypting SNI Erik Nygren
- Re: [TLS] About encrypting SNI Sniffen, Brian
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Martin Thomson
- Re: [TLS] About encrypting SNI Brian Sniffen
- Re: [TLS] About encrypting SNI Eric Rescorla
- Re: [TLS] About encrypting SNI Sniffen, Brian
- Re: [TLS] About encrypting SNI Erik Nygren
- Re: [TLS] Forged RST (was: About encrypting SNI) Bill Frantz
- Re: [TLS] Forged RST (was: About encrypting SNI) Yoav Nir
- Re: [TLS] Forged RST (was: About encrypting SNI) Bill Frantz
- Re: [TLS] Forged RST (was: About encrypting SNI) Eric Rescorla
- Re: [TLS] Forged RST (was: About encrypting SNI) Watson Ladd
- Re: [TLS] Forged RST (was: About encrypting SNI) Eric Rescorla
- Re: [TLS] About encrypting SNI Marsh Ray
- Re: [TLS] About encrypting SNI Martin Rex
- Re: [TLS] About encrypting SNI David Holmes
- Re: [TLS] About encrypting SNI Brian Sniffen
- Re: [TLS] About encrypting SNI Marsh Ray
- Re: [TLS] About encrypting SNI Marsh Ray
- Re: [TLS] About encrypting SNI Nico Williams
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Michael D'Errico
- Re: [TLS] About encrypting SNI Watson Ladd
- Re: [TLS] About encrypting SNI Erik Nygren
- Re: [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI Daniel Kahn Gillmor
- Re: [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI - Traffic Analysis… Michael StJohns
- Re: [TLS] About encrypting SNI - Traffic Analysis… Nico Williams
- Re: [TLS] About encrypting SNI - Traffic Analysis… Stephen Farrell
- Re: [TLS] About encrypting SNI - Traffic Analysis… Martin Rex
- Re: [TLS] About encrypting SNI Nikos Mavrogiannopoulos
- Re: [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI Stephen Farrell
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI - Traffic Analysis… Martin Thomson
- Re: [TLS] About encrypting SNI - Traffic Analysis… Tom Ritter
- Re: [TLS] About encrypting SNI Brian Sniffen
- Re: [TLS] About encrypting SNI Fabrice
- Re: [TLS] About encrypting SNI Jacob Appelbaum
- Re: [TLS] About encrypting SNI Paul Lambert
- Re: [TLS] About encrypting SNI Yoav Nir
- Re: [TLS] About encrypting SNI Daniel Kahn Gillmor
- Re: [TLS] About encrypting SNI Tim Bray
- Re: [TLS] About encrypting SNI Jacob Appelbaum
- Re: [TLS] About encrypting SNI Paul Hoffman
- Re: [TLS] About encrypting SNI Viktor Dukhovni
- Re: [TLS] About encrypting SNI Brian Sniffen
- Re: [TLS] About encrypting SNI Yoav Nir