Re: [TLS] About encrypting SNI
Paul Lambert <paul@marvell.com> Tue, 20 May 2014 19:36 UTC
Return-Path: <paul@marvell.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CC1481A0217 for <tls@ietfa.amsl.com>; Tue, 20 May 2014 12:36:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.267
X-Spam-Level:
X-Spam-Status: No, score=-2.267 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h-1SjCQdPA_a for <tls@ietfa.amsl.com>; Tue, 20 May 2014 12:36:58 -0700 (PDT)
Received: from mx0b-0016f401.pphosted.com (mx0b-0016f401.pphosted.com [67.231.156.173]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D3AF01A019B for <tls@ietf.org>; Tue, 20 May 2014 12:36:57 -0700 (PDT)
Received: from pps.filterd (m0045851.ppops.net [127.0.0.1]) by mx0b-0016f401.pphosted.com (8.14.5/8.14.5) with SMTP id s4KJatHo012112; Tue, 20 May 2014 12:36:55 -0700
Received: from sc-owa01.marvell.com ([199.233.58.136]) by mx0b-0016f401.pphosted.com with ESMTP id 1ky77fs1m6-1 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT); Tue, 20 May 2014 12:36:55 -0700
Received: from SC-vEXCH2.marvell.com ([10.93.76.134]) by SC-OWA01.marvell.com ([10.93.76.21]) with mapi; Tue, 20 May 2014 12:36:52 -0700
From: Paul Lambert <paul@marvell.com>
To: Jacob Appelbaum <jacob@appelbaum.net>, "mrex@sap.com" <mrex@sap.com>
Date: Tue, 20 May 2014 12:38:58 -0700
Thread-Topic: [TLS] About encrypting SNI
Thread-Index: Ac90YtlN0VCVsbvXT+WEpHpsth512A==
Message-ID: <CFA0FC59.3B0C2%paul@marvell.com>
References: <0B76075A-D9F1-4780-8834-7FF0A1C82999@vigilsec.com> <20140425013239.7FE5E1ACE1@ld9781.wdf.sap.corp> <CAFggDF3u1R+540x6SM3Rt5u+GNQ44ZKozCoTSU1k+XMPU9V-tQ@mail.gmail.com>
In-Reply-To: <CAFggDF3u1R+540x6SM3Rt5u+GNQ44ZKozCoTSU1k+XMPU9V-tQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.4.1.140326
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.11.96, 1.0.14, 0.0.0000 definitions=2014-05-20_05:2014-05-20,2014-05-20,1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1402240000 definitions=main-1405200239
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/KIkZz6gAWwCCzJdrosdAVovQuUo
Cc: IETF TLS <tls@ietf.org>
Subject: Re: [TLS] About encrypting SNI
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 May 2014 19:36:59 -0000
On 5/20/14, 10:17 AM, "Jacob Appelbaum" <jacob@appelbaum.net> wrote: >On 4/25/14, Martin Rex <mrex@sap.com> wrote: >> Russ Housley wrote: >>> > I think Rich Salz has outlined very compelling reasons not to support >>> > SNI. >>> >>> While I might quibble with a detail here or there, I do agree with the >>> conclusion. If you need to protect SNI, then TOR or to a lesser extent >>> TLS-in-TLS can be used. >> >> I agree. If you need TOR, you should use TOR. >> > >This is curious - what specific property do you think you need from Tor? > >To protect from information leaks in TLS or other protocols? If so, >sure, use Tor. > >One doesn't need the anonymity of Tor or the censorship circumvention >of Tor per se - rather, this is basically compensating for a protocol >that leaks plaintext information. > >However - I wonder why not fix the (transport layer security) protocol >to not have such an information leak? Then we can say: If you need >anonymity, use Tor. If you need Transport Layer Security (and thus >confidentiality), use TLS! > >This is also a conundrum for Tor I might add - we use TLS on the wire >and as a result, we generate random stuff for say, the hostname >embedded in various bits of the TLS connection. It would be nice if we >could remove such distinguishers from the TLS protocol entirely. It >would help Tor which is also useful, if as you say, you want people to >use it when they need it. > >( Also - It's Tor, not TOR. ) > >> Encrypted SNI comes at a huge cost, and could at best provide >> a benefit somewhere between completely negligible and absolutely none. > >I'm not convinced that this is the right framing of the issue. Allow >me to turn this over: > >Plaintext information leaks in TLS come at a huge cost and ensure that >TLS may be selectively and actively attacked in a targeted manner. >This is a protocol failure and we should correct it. +1 Anonymity is easiest in a crowd. The same protocol exchanges used for everyday browsing should look identical to traffic requiring more careful protection. Proxied or onion routed traffic should appear identical to traffic destined to a visible end point. Paul > >> >> Whether the service provider uses multiple services on a host at >> all, is up to the service provider. >> >> What name the service provider chooses is up to the service provider. >> >> Whether the content of the individual hosts is (close to) 100% >> distinguishable by its traffic patterns is up to the hosting provider, >> the service providers, the nature of their contents and the amount >> of (or lack of) cooperation/synchronization among the service providers. >> >> >> It would be crazy if any of the secret three agencies would spent >> a huge amount of protective efforts so that they could refer to >> their "secret hideout at 17, umpteen street" under the term >> "secret hideout at 17, umpteen street", instead of simply >> calling it an office or a laundry, or whatever. >> > >My concern is not helping secret three agencies. My concern is that >those secret three agencies are attacking TLS. They use this >distinguisher, as well as others, to select specific traffic for >collection, as well as for censorship and other forms of exploitation. >This applies to those agencies amongst other attackers who aren't well >funded. We should consider this reality and try to defend against this >threat. > >> >> The server name is simply routing information. And it is not just >> load-balancers that may want to be able to use that information >> without having to open/terminate/participate the TLS communication, >> it's also easier and cleaner for implementations at the endpoint >> to do the server-side of TLS extension SNI "outside" of the TLS stack. >> > >Sure - the server name is a distinguisher which serves as a way for >attackers to exploit other issues in common TLS deployments. We should >remove as many of the distinguishers from TLS in the client and server >as is possible. We can't solve every traffic analysis problem with TLS >but we don't need to leak the client's clock, the requested hostname, >and lots of other details merely because we've always done so. > >I think that TLS in TLS is a nice idea but the outer handshake will >still have distinguishers that ensure that such handshakes will be >easy to deny selectively. The design of OTR is useful to consider. It >doesn't make sense to simply declare TLS in TLS without considering >how that would really look on the wire to an adversary with moderate >DPI capabilities. > >All the best, >Jacob > >_______________________________________________ >TLS mailing list >TLS@ietf.org >https://www.ietf.org/mailman/listinfo/tls
- [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI Martin Thomson
- Re: [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI Watson Ladd
- Re: [TLS] About encrypting SNI Russ Housley
- Re: [TLS] About encrypting SNI Eric Rescorla
- Re: [TLS] About encrypting SNI Brian Sniffen
- Re: [TLS] About encrypting SNI Alyssa Rowan
- Re: [TLS] About encrypting SNI Nick Mathewson
- Re: [TLS] About encrypting SNI Daniel Kahn Gillmor
- Re: [TLS] About encrypting SNI Sniffen, Brian
- Re: [TLS] About encrypting SNI Yoav Nir
- Re: [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI Seth David Schoen
- Re: [TLS] About encrypting SNI Nico Williams
- Re: [TLS] About encrypting SNI Watson Ladd
- Re: [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI Yoav Nir
- Re: [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI Watson Ladd
- Re: [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI Eric Rescorla
- Re: [TLS] About encrypting SNI Alyssa Rowan
- Re: [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI Martin Rex
- Re: [TLS] About encrypting SNI Eric Rescorla
- Re: [TLS] About encrypting SNI Eric Rescorla
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Eric Rescorla
- Re: [TLS] About encrypting SNI Tom Ritter
- Re: [TLS] About encrypting SNI Brian Sniffen
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI Eric Rescorla
- Re: [TLS] About encrypting SNI Watson Ladd
- Re: [TLS] About encrypting SNI Brian Sniffen
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Sniffen, Brian
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Alyssa Rowan
- Re: [TLS] About encrypting SNI Michael D'Errico
- Re: [TLS] About encrypting SNI James Cloos
- Re: [TLS] About encrypting SNI Jacob Appelbaum
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Erik Nygren
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Jacob Appelbaum
- [TLS] Forged RST (was: About encrypting SNI) Alyssa Rowan
- Re: [TLS] Forged RST (was: About encrypting SNI) Eric Rescorla
- Re: [TLS] About encrypting SNI Paul Lambert
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Erik Nygren
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] Forged RST (was: About encrypting SNI) Yoav Nir
- Re: [TLS] About encrypting SNI Sniffen, Brian
- Re: [TLS] Forged RST (was: About encrypting SNI) Erik Nygren
- Re: [TLS] About encrypting SNI James Cloos
- Re: [TLS] Forged RST Stephen Farrell
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] Forged RST (was: About encrypting SNI) Nico Williams
- Re: [TLS] About encrypting SNI Erik Nygren
- Re: [TLS] About encrypting SNI Sniffen, Brian
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Martin Thomson
- Re: [TLS] About encrypting SNI Brian Sniffen
- Re: [TLS] About encrypting SNI Eric Rescorla
- Re: [TLS] About encrypting SNI Sniffen, Brian
- Re: [TLS] About encrypting SNI Erik Nygren
- Re: [TLS] Forged RST (was: About encrypting SNI) Bill Frantz
- Re: [TLS] Forged RST (was: About encrypting SNI) Yoav Nir
- Re: [TLS] Forged RST (was: About encrypting SNI) Bill Frantz
- Re: [TLS] Forged RST (was: About encrypting SNI) Eric Rescorla
- Re: [TLS] Forged RST (was: About encrypting SNI) Watson Ladd
- Re: [TLS] Forged RST (was: About encrypting SNI) Eric Rescorla
- Re: [TLS] About encrypting SNI Marsh Ray
- Re: [TLS] About encrypting SNI Martin Rex
- Re: [TLS] About encrypting SNI David Holmes
- Re: [TLS] About encrypting SNI Brian Sniffen
- Re: [TLS] About encrypting SNI Marsh Ray
- Re: [TLS] About encrypting SNI Marsh Ray
- Re: [TLS] About encrypting SNI Nico Williams
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Michael D'Errico
- Re: [TLS] About encrypting SNI Watson Ladd
- Re: [TLS] About encrypting SNI Erik Nygren
- Re: [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI Daniel Kahn Gillmor
- Re: [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI - Traffic Analysis… Michael StJohns
- Re: [TLS] About encrypting SNI - Traffic Analysis… Nico Williams
- Re: [TLS] About encrypting SNI - Traffic Analysis… Stephen Farrell
- Re: [TLS] About encrypting SNI - Traffic Analysis… Martin Rex
- Re: [TLS] About encrypting SNI Nikos Mavrogiannopoulos
- Re: [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI Stephen Farrell
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI - Traffic Analysis… Martin Thomson
- Re: [TLS] About encrypting SNI - Traffic Analysis… Tom Ritter
- Re: [TLS] About encrypting SNI Brian Sniffen
- Re: [TLS] About encrypting SNI Fabrice
- Re: [TLS] About encrypting SNI Jacob Appelbaum
- Re: [TLS] About encrypting SNI Paul Lambert
- Re: [TLS] About encrypting SNI Yoav Nir
- Re: [TLS] About encrypting SNI Daniel Kahn Gillmor
- Re: [TLS] About encrypting SNI Tim Bray
- Re: [TLS] About encrypting SNI Jacob Appelbaum
- Re: [TLS] About encrypting SNI Paul Hoffman
- Re: [TLS] About encrypting SNI Viktor Dukhovni
- Re: [TLS] About encrypting SNI Brian Sniffen
- Re: [TLS] About encrypting SNI Yoav Nir