Re: [TLS] Encrypting record headers: practical for TLS 1.3 after all?

Jacob Appelbaum <> Thu, 03 December 2015 00:52 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id D1C811AD305 for <>; Wed, 2 Dec 2015 16:52:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id YXfqJRpxsDpl for <>; Wed, 2 Dec 2015 16:52:41 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4001:c06::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id C6BD61AD2A9 for <>; Wed, 2 Dec 2015 16:52:41 -0800 (PST)
Received: by iouu10 with SMTP id u10so66430915iou.0 for <>; Wed, 02 Dec 2015 16:52:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=NtlOfplNRPLPmZm+/pKLQmC+cgfxLmD9S8wgPJZyqus=; b=PMBdHubvvZYe/+uGdAFhVfx73z+u8B6To8uliDe9oxkv3GtfCuzW4/oB352tQvcSUr 6cBnvHf7o8I2M2Hw59TnagMSoGQIupqguzRTO2zyBGy7GtyNZsMYHzfo2NXhlHEUkn5g +pCALKEuPopE67f/YFzyoSPyFu39efavZjBraYGjMQBai3F8qGjCs2V7TmGt6rhu8Cme sNlUO8HSa0lMwjoh3+tLFZawAXDdHYhfxyk4b0zH6qpvENt9yEPJrxVHIiSKht0jnTuj xNJ8pqLwJCQauTvrR2S9RY9M94nXI/DFdriz/DRDSO6/P9VubqeyIkwc+89OJAvD7iFQ HznA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=NtlOfplNRPLPmZm+/pKLQmC+cgfxLmD9S8wgPJZyqus=; b=bepwINCxJopTvgixQ1/4x9SCp5G6UoYCg7l39MT1JY1oHUtbZjrCJBHQsIs15GBFHP miE6UvfBfnFhpZyO1r5eX4QYvFSHWahiDXGzhymPx3nU5zfLUK2/Y7tzQtevzpITFq9k I0+fO4RmlYap+cxSz0/+4dtNiGYYJ7Q7UdMBJLWbTEAnhIv/QZ24DSdznxx5KdzX3k4q KOy7UY/bcXpb6PgH6ST5ndTwVFz57cYcAsxMqltvtGbtSdFikKB21x12NFzbDpxqkfZd xMf7lUKdVC1dtCMq5uJZo9OG9Ry200j28iwaPLa4kP3zAVQl7AGhFv9a2jqoSgaNhO9i tqIg==
X-Gm-Message-State: ALoCoQl6K8tjcb3fmio1v1I7H0L5K5uXhuUj5PpRJIdgub2/54eE19oSWVjKl3B0BdRvB41Mauve
MIME-Version: 1.0
X-Received: by with SMTP id m28mr7423920iod.24.1449103960011; Wed, 02 Dec 2015 16:52:40 -0800 (PST)
Received: by with HTTP; Wed, 2 Dec 2015 16:52:39 -0800 (PST)
X-Originating-IP: []
In-Reply-To: <>
References: <> <> <> <> <> <>
Date: Thu, 03 Dec 2015 00:52:39 +0000
Message-ID: <>
From: Jacob Appelbaum <>
To: "Salz, Rich" <>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <>
Cc: "" <>
Subject: Re: [TLS] Encrypting record headers: practical for TLS 1.3 after all?
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 03 Dec 2015 00:52:43 -0000

On 12/2/15, Salz, Rich <> wrote:
>> it seems blindingly obvious to me that we want it
> Few things, particularly in the security arena, are blindingly obvious.  If
> it actually provides no true protection, then it's just as bad as the
> security theater in US airports.

It provides protection. Specifically it provides confidentially.

It doesn't solve the fact that the DNS is a privacy violating
nightmare. It doesn't change the fact that the NSA breaks the rules.

>> If we can avoid adding them in TLS
> We're not adding anything as SNI is already in plaintext.  (Precision
> counts:).  And we have already added numerous important privacy protections
> to TLS 1.3.

Leaving SNI in the clear ensures that attackers will be able to
selectively block access by name with ngrep and some basic TCP RST
injection. No cryptographic attacks are required and it will be done
by simply looking for an objectionable string. The economics of that
attack are very low. Forcing an attacker to become a global active or
passive adversary and to perform competent traffic analysis is a much
higher economic cost.

All the best,