Re: [TLS] WGLC for draft-ietf-tls-sni-encryption
mrex@sap.com (Martin Rex) Wed, 17 October 2018 17:02 UTC
Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B2FC0130E03 for <tls@ietfa.amsl.com>; Wed, 17 Oct 2018 10:02:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id layUK95H0_3e for <tls@ietfa.amsl.com>; Wed, 17 Oct 2018 10:02:41 -0700 (PDT)
Received: from smtpde02.smtp.sap-ag.de (smtpde02.smtp.sap-ag.de [155.56.68.140]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F1BEE130DC9 for <tls@ietf.org>; Wed, 17 Oct 2018 10:02:40 -0700 (PDT)
Received: from mail07.wdf.sap.corp (mail04.sap.corp [194.39.131.56]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtpde02.smtp.sap-ag.de (Postfix) with ESMTPS id 42Zz4s6y5Nzs9; Wed, 17 Oct 2018 19:02:37 +0200 (CEST)
X-purgate-ID: 152705::1539795758-00000211-1BEB3BC6/0/0
X-purgate-size: 4268
X-purgate: clean
X-purgate: This mail is considered clean (visit http://www.eleven.de for further information)
X-purgate-Ad: Categorized by eleven eXpurgate (R) http://www.eleven.de
X-purgate-type: clean
X-SAP-SPAM-Status: clean
Received: from ld9781.wdf.sap.corp (ld9781.wdf.sap.corp [10.21.82.193]) by mail07.wdf.sap.corp (Postfix) with ESMTP id 42Zz4r6bmLzGqdT; Wed, 17 Oct 2018 19:02:36 +0200 (CEST)
Received: by ld9781.wdf.sap.corp (Postfix, from userid 10159) id DA9D1404C; Wed, 17 Oct 2018 19:02:36 +0200 (CEST)
In-Reply-To: <9DE64F7F-4740-4410-A004-373D8919920B@sn3rd.com>
References: <9DE64F7F-4740-4410-A004-373D8919920B@sn3rd.com>
To: Sean Turner <sean@sn3rd.com>
Date: Wed, 17 Oct 2018 19:02:36 +0200
CC: tls@ietf.org
Reply-To: mrex@sap.com
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20181017170236.DA9D1404C@ld9781.wdf.sap.corp>
From: mrex@sap.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/KOUqAvWqjAubupnWcB68o3WhzHY>
Subject: Re: [TLS] WGLC for draft-ietf-tls-sni-encryption
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Oct 2018 17:02:45 -0000
Sean Turner <sean@sn3rd.com> wrote: > > This is the working group last call for the > "Issues and Requirements for SNI Encryption in TLS" > draft available at > http://datatracker.ietf.org/doc/draft-ietf-tls-sni-encryption/. > Please review the document and send your comments to the list > by 2359 UTC on 31 October 2018. I think the idea of encrypted SNI is inherently flawed in its concept. If anyone really thinks that there should be a scheme where a server's hostname is no longer transfered in a cleartext (including TLS extension SNI), then first of all a *NEW* distinct URI method should be defined for that purpose, e.g. "httph://" as a reliable indicator to the client processing this URI, that the hostname from this URI is not supposed to be sent over the wire in the clear *anywhere*. As it is, there are a number of servers which desperately require the presence of TLS extension SNI, or will fail TLS handshakes either by choking and dropping connections (Microsoft IIS 8.5+) or by very unhelpful alerts (several others), and also HTTP/2.0 requires unconditional cleartext presence of TLS extension SNI. Any kind of heuristics-based approach for clients to guess whether or not to send TLS extension SNI is flawed from the start. If a network middlebox can make a client present a cleartext TLS extension SNI by refusing connections without cleartext TLS extension SNI, the entire effort becomes pretty useless. It is necessary that the client knows reliably that a hostname must not be sent in the clear, including when the connection fails for unknown reasons, and only a new URI method will reliably provide such a clear distinction. I also believe the draft is contains flawed assumptions and misleading descriptions of facts and history. e.g. Section 2.2 "The common name component of the server certificate generally exposes the same name as the SNI. In TLS versions 1.0 [RFC2246], 1.1 [RFC4346], and 1.2 [RFC5246]"" SubjectAltName attributes, unless you were hiding under some stone with no internet acces for more than a decade... rfc2818 "HTTP over TLS" section 3.1 "Server Endpoint Identification" described retroactively, what kind of name matching TLS clients Browsers were doing -- and what all TLS clients are supposed to be doing on a TLS server certificate. https://tools.ietf.org/html/rfc2818#section-3 This approach was recommended for use in other protocols besides HTTP over TLS by RFC 6125. By sending TLS extension SNI in the clear to a server, the client tells that server: I am going to perform an rfc2818 "HTTP over TLS" section 3.1 "Server Endpoint Identification" matching -- and if you have several different TLS server certificates to choose from, you better send me one that is going to succeed this specific matching, which I am going to perform on your TLS ServerCertificate response. The TLS server certificate could only be conveyed *IN*THE*CLEAR* in SSLv3, could be conveyed only in the clear in TLSv1.0, when TLS extension SNI was proposed in rfc3546 to allow virtual hosting from HTTP to work with HTTPS, and could be conveyed only in the clear in TLSv1.2, when SNI was rev'ed by rfc6066. In protocol version SSLv3->TLSv1.2, encryption keys are only established *AFTER* successful authentication of the server through its server certificate. So it was obviously impossible to encrypt the information whose only purpose it was to allow the server to decide *which* TLS Server certificate to use for authentication (hen-and-egg). DH_anon cipher suites do not have a server certificate handshake message, and they are well-known to be completely insecure to man-in-the-middle attacks anyways, which is why TLSv1.2 (rfc5246) says this about them: The following cipher suites are used for completely anonymous Diffie-Hellman communications in which neither party is authenticated. Note that this mode is vulnerable to man-in-the- middle attacks. Using this mode therefore is of limited use: These cipher suites MUST NOT be used by TLS 1.2 implementations unless the application layer has specifically requested to allow anonymous key exchange. -Martin
- [TLS] WGLC for draft-ietf-tls-sni-encryption Sean Turner
- Re: [TLS] WGLC for draft-ietf-tls-sni-encryption Sean Turner
- Re: [TLS] WGLC for draft-ietf-tls-sni-encryption Martin Thomson
- Re: [TLS] WGLC for draft-ietf-tls-sni-encryption Stephen Farrell
- Re: [TLS] WGLC for draft-ietf-tls-sni-encryption Martin Rex
- Re: [TLS] WGLC for draft-ietf-tls-sni-encryption Eric Rescorla
- Re: [TLS] WGLC for draft-ietf-tls-sni-encryption Martin Rex
- Re: [TLS] WGLC for draft-ietf-tls-sni-encryption Eric Rescorla
- Re: [TLS] WGLC for draft-ietf-tls-sni-encryption Geoffrey Keating
- Re: [TLS] WGLC for draft-ietf-tls-sni-encryption David Fifield
- Re: [TLS] WGLC for draft-ietf-tls-sni-encryption Salz, Rich
- Re: [TLS] WGLC for draft-ietf-tls-sni-encryption Mark O