Re: [TLS] Encrypted SNI

Jacob Appelbaum <> Sun, 06 December 2015 08:48 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 5D8E21ACCE9 for <>; Sun, 6 Dec 2015 00:48:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id LVoOFNgTn2KT for <>; Sun, 6 Dec 2015 00:48:38 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4001:c06::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 33BA71ACD0C for <>; Sun, 6 Dec 2015 00:48:38 -0800 (PST)
Received: by iouu10 with SMTP id u10so158109016iou.0 for <>; Sun, 06 Dec 2015 00:48:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=APXOvXaiEKT6NGa26qQVQdTT28IyVN7Ic6eCcZSVKYo=; b=AG0hYuf9eQsDtRMZULKt8hh86D7Csph5XzP0tyNjkNa9n7mt1gmpMcNFjaVkaHdGCR IEONATAg1zZcxQOCB+eLkzyI52pFtTuGLbggdpd9v/eJs5jYywRrnBsW0h2gveFBKNBH SkQfi3azMb/3LUU47DN+OtaRXf9QQJrxalOZVqHlW/Nl74MTXumVnNcekByzlWKvMgNZ BTbrmBZiqo0LX/YDUs51B0P7ynzLY6S7NxVZDx5BF7n0rB5FO8EtSgGkwH6PqcJiqyht HJ10bKo6xPJwrxzjN3eW9B96TvHmgWlGZ66LvhNFgBpJ6euGcq6fMTH7yOZALHCJQMga UsWw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=APXOvXaiEKT6NGa26qQVQdTT28IyVN7Ic6eCcZSVKYo=; b=BSTeUTXkpkga3VeNnpxH/WLJQsIGf1SxuQYgMZXPdLL3//PWwZndZVNe1cAMC5yTlp 2CRALqKPltzGDsTtPwYcaDn52SD4aOMqKPWIUBfVe3cEh2MiZ03xmdjlt1QA8CP0SIMF yt3tVn/1EjBMvLnMCeIKfPELH5jyLzxEoEk/zV6ZIl/5jRUS9TOZZ4gQ/DfALfu7C7kd Y9u8Aa3pmg4JDVeU0y5hYWYFaIC+15PHJeMBa17zc1jHH9ey66TSyn0EFiXfrZgrSS0f Hsz2nT9FoJFuVRrHm7jIQ4EzMQbeHEJGUGj13UdNAi9t0MvFSq7VgqySAt/K7t+jNglU KDSg==
X-Gm-Message-State: ALoCoQlDA3g2QfrujhDBYj163KYmG9V/D7tmwTJBl9Ly9+pbq/tOxsX68YZdToyieiCkrdLnCBoG
MIME-Version: 1.0
X-Received: by with SMTP id l19mr18772585iod.138.1449391717566; Sun, 06 Dec 2015 00:48:37 -0800 (PST)
Received: by with HTTP; Sun, 6 Dec 2015 00:48:37 -0800 (PST)
X-Originating-IP: []
In-Reply-To: <>
References: <> <> <>
Date: Sun, 06 Dec 2015 08:48:37 +0000
Message-ID: <>
From: Jacob Appelbaum <>
To: Dave Garrett <>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <>
Subject: Re: [TLS] Encrypted SNI
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 06 Dec 2015 08:48:39 -0000

On 12/6/15, Dave Garrett <> wrote:
> On Saturday, December 05, 2015 08:58:58 pm Salz, Rich wrote:
>> Can we embed an EncryptedExtension inside an existing EE?  That would let
>> us do TOR purely within TLS, right?
> If clients are allowed to send any encrypted extensions other than the
> tunneling extension (that contains the tunneled hello), then we would have
> to allow sending an EncryptedExtension through it, otherwise tunneled peers
> would have less capabilities than non-tunneled. I don't see anything in this
> design that would prohibit recursively doing this as many times as desired.
> (e.g. tunnel of a tunnel of a tunnel of a...) That does sound somewhat
> TOR-like, though obviously, lots more would be needed to actually do
> anything with that. If this can actually be done, it sounds very promising.

I had a similar thought.

There needs to be a way to blind each server that is two hops away to
make it work:

Alice connects to a server_0, the server routes to server_1, server_1
routes to server_2 and that passes the final TLS to Bob.

Alice's TLS message needs to be passed to server_1 without every
indicating in an encrypted fashion that server_2 is in the path. In
this analogy, server_0 is like the Tor guard, server_1 is the middle
node, and server_2 is the exit node.

There are some issues with such a design - which is why Tor's design
is to use TLS as an outer link layer and then internally to use 512
byte (or slightly larger) cells. I won't get into those here but I
find the general idea of tls within tls to be useful.

All the best,