IETF Logo Mail Archive

Re: [TLS] Final nail in the coffin for cleartext SNI/ALPN in TLS 1.3

Yoav Nir <ynir@checkpoint.com> Thu, 07 November 2013 19:49 UTC

Return-Path: <ynir@checkpoint.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F128B11E81B3 for <tls@ietfa.amsl.com>; Thu, 7 Nov 2013 11:49:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.526
X-Spam-Level:
X-Spam-Status: No, score=-10.526 tagged_above=-999 required=5 tests=[AWL=0.072, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id diDlsXWJQKnD for <tls@ietfa.amsl.com>; Thu, 7 Nov 2013 11:49:15 -0800 (PST)
Received: from smtp.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id CC86E11E8164 for <tls@ietf.org>; Thu, 7 Nov 2013 11:49:04 -0800 (PST)
Received: from DAG-EX10.ad.checkpoint.com ([194.29.34.150]) by smtp.checkpoint.com (8.13.8/8.13.8) with ESMTP id rA7Jmw9W002620; Thu, 7 Nov 2013 21:48:58 +0200
X-CheckPoint: {527BED25-3-1B221DC2-1FFFF}
Received: from IL-EX10.ad.checkpoint.com ([169.254.2.106]) by DAG-EX10.ad.checkpoint.com ([169.254.3.213]) with mapi id 14.03.0123.003; Thu, 7 Nov 2013 21:48:58 +0200
From: Yoav Nir <ynir@checkpoint.com>
To: "Salz, Rich" <rsalz@akamai.com>
Thread-Topic: [TLS] Final nail in the coffin for cleartext SNI/ALPN in TLS 1.3
Thread-Index: AQHO29cQ9VyMic6aPkyI1tVd5LOXZJoZ1sKAgAAGd4CAAAeWAIAAI6dwgAADH4A=
Date: Thu, 07 Nov 2013 19:48:58 +0000
Message-ID: <708C4C0F-2915-4847-A823-E4CF74B8B367@checkpoint.com>
References: <CA+BZK2qUE3oS6Sbp1HbKZ7Wgen9gEjjdepON1egLhGqCPpoVBw@mail.gmail.com> <CACsn0c=VWmsfxvE_17+FyBASUXPCNrS1FQQ02fzhF5rA6zx4wQ@mail.gmail.com> <CA+BZK2oAj6FmXTbDoY0oRHpHFVzeN-NmDJde2mJTwOzBW0CdiQ@mail.gmail.com> <EEF0FE50-3032-4C7B-BA07-1845CDEDA155@checkpoint.com> <2A0EFB9C05D0164E98F19BB0AF3708C711DA7CF14F@USMBX1.msg.corp.akamai.com>
In-Reply-To: <2A0EFB9C05D0164E98F19BB0AF3708C711DA7CF14F@USMBX1.msg.corp.akamai.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [172.31.20.53]
x-kse-antivirus-interceptor-info: scan successful
x-kse-antivirus-info: Clean
Content-Type: multipart/alternative; boundary="_000_708C4C0F29154847A823E4CF74B8B367checkpointcom_"
MIME-Version: 1.0
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Final nail in the coffin for cleartext SNI/ALPN in TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Nov 2013 19:49:21 -0000

On Nov 7, 2013, at 9:39 AM, "Salz, Rich" <rsalz@akamai.com<mailto:rsalz@akamai.com>> wrote:

>  For example, if the server certificate could list the different domain names that it was valid for.

Like subjectAltName?  But unlike SNI, that requires the hosted parties to cooperate in getting the certificate. SNI does not.

Yes, but at the cost that the domain name is exposed in the clear. Both in the SNI and in the certificate.

Yoav

v2.23.0 | Report a Bug | By Email