Re: [TLS] Encrypted SNI

Brian Sniffen <> Tue, 03 July 2018 21:19 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E29D6130E54 for <>; Tue, 3 Jul 2018 14:19:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.711
X-Spam-Status: No, score=-2.711 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id adEp9bXZq8q1 for <>; Tue, 3 Jul 2018 14:19:27 -0700 (PDT)
Received: from ( [IPv6:2620:100:9001:583::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 7AB6F130E0F for <>; Tue, 3 Jul 2018 14:19:27 -0700 (PDT)
Received: from pps.filterd ( []) by ( with SMTP id w63LCOcv003567; Tue, 3 Jul 2018 22:19:23 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; h=from : to : subject : in-reply-to : references : date : message-id : mime-version : content-type : content-transfer-encoding; s=jan2016.eng; bh=WI4nqmUfuB0ne7JS9BLwA6+CN0kKHpJp5Y9lDB0SiII=; b=hz/jZAUsu0gZtge85GyWSV7dKIOkVy8LBbsaWUOGTRa2M+TnHIs1mHrDkb8pPOxiG54X l/RAkPK3N0zMgSbNMMvn7C4oPrqcg3jfcNa6EYlT8UtNkyqf3eUO4OGEmIu7tesext13 4xQagqpTYgJrqRvP/7zZv2iAaeyxbz+SGvg+ZKH+grSkpi5rR4vfJ0npwcYwNE7DnRdE bIMn0YVIvc4iC1OFlJ9nRCdN47lAXWFpqFuqMSVvMrDb67wU2SnkDNZWFgSPtBv+MN5H n1pafhnsjF0iAnq8tsIZ1Bg7aS32Q/cQIUTfBEygWG0zSVMRYOOPY82tnM+UjsOr2dCw EA==
Received: from prod-mail-ppoint3 ( [] (may be forged)) by with ESMTP id 2jx14k24n1-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 03 Jul 2018 22:19:22 +0100
Received: from pps.filterd ( []) by ( with SMTP id w63L530q031639; Tue, 3 Jul 2018 17:19:21 -0400
Received: from ([]) by with ESMTP id 2jx57bb8ge-1; Tue, 03 Jul 2018 17:19:21 -0400
Received: from Tereva.local (unknown []) by (Postfix) with ESMTP id 654DD20067; Tue, 3 Jul 2018 21:19:21 +0000 (GMT)
From: Brian Sniffen <>
To: Hanno =?utf-8?Q?B=C3=B6ck?= <>,
In-Reply-To: <20180703222414.17ee820c@computer.lan>
References: <> <20180703222414.17ee820c@computer.lan>
Date: Tue, 03 Jul 2018 17:19:20 -0400
Message-ID: <>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-07-03_09:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=1 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1806210000 definitions=main-1807030237
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-07-03_09:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=1 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1806210000 definitions=main-1807030239
Archived-At: <>
Subject: Re: [TLS] Encrypted SNI
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 03 Jul 2018 21:19:31 -0000

Hanno Böck <> writes:

> So-called "Enterprise" infrastructure has delayed the work of this group
> for at least a year. Noone of the people creating that mess has reached
> out to this group to explain why they constantly break TLS - let alone
> apologize for it.
> I believe there's a large overlap of the actors breaking TLS with the
> actors who are worried about things like SNI encryption. I'm not sure I
> see any reason not to consider these actors as anything but opposed to
> the work of this group.

Whoah!  I've been involved for years specifically to ask for care about
encrypted SNI.  I don't know whether I break TLS; maybe opinions vary.
But my concerns have been specific:

First, at the engineering level, a requirement that servers do expensive
cryptographic work in response to a first packet *and* an inability to
charge that work to a user or application is a big problem.  It makes it
too hard for users or applications to share a server, or leads to levels
of address waste expensive even with IPv6.

If we're going to have 0RTT and 1RTT and TCP Fast Open and ECDHE... then
Encrypted SNI is a hard engineering problem! 

Second, at the architectural level, a serious question about whether
this actually helps anybody, and if so whom?  I think the case of the
Amnesty International worker in an oppressive dictatorship is almost
certainly *not* helped by this work---see my questions about how many
bits of security this provides against an adaptive adversary from this
morning---and would like some clarity that this is about inhibiting the
ISPs, from cafes through enterprises up to Comcast-TWC, from monkeying
with user sessions.  

My concerns at the engineering level have been welcomed, recognized,
validated, and addressed.  Not always exactly the way I'd like, but
absolutely addressed in a way that's appropriate and sincere.  I saw the
same with requests to re-insert RSA Kx late last year.  The PATIENT
folks have gotten a fair hearing.

My architectural concerns have been heard, somewhat less eagerly.  Some
participants, including our colleagues who are vendors to enterprises
and folks like Ben Schwartz, have been clear that they will not bring
all their motivations and evidence to the table.  I significantly
discount their arguments and expect others to do the same---but not to
zero.  It means we need to check their work as we go, or actually trust
them as people, but it *can't* be harder than keeping NSA/IA people on

Anyway, I think the PATIENT folks concerns about the engineering of TLS
1.3 have been heard, have been taken seriously, and have been
addressed---same as mine or yours.  What I've seen of the architectural
concerns leading to network-centric management and "tap" devices come
down to claims about changes in architecture being too expensive,
middleboxes being too expensive, changes to applications being too
expensive, and general citation of an architecture only a few years old
as immutable tradition.  Those claims have also been heard, plenty of
folks have respectfully and diligently combed through them for evidence,
and we've moved on.

I bet that's frustrating and frightening for the folks writing from a
world where those claims aren't faith-based---they're obvious.  They
don't need citation any more than "China is a country"[1] needs
citation.  Nonetheless, engineering conversations based on
data-supported arguments continue to be welcome.


     but see also

Brian Sniffen