Re: [TLS] Encrypted SNI (was: Privacy considerations - identity hiding from eavesdropping in (D)TLS)

Nick Mathewson <> Fri, 25 September 2015 13:49 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 176A71A19F8 for <>; Fri, 25 Sep 2015 06:49:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 0.122
X-Spam-Status: No, score=0.122 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id PMe8D0Km2III for <>; Fri, 25 Sep 2015 06:49:50 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4010:c03::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id F01AE1A19EC for <>; Fri, 25 Sep 2015 06:49:49 -0700 (PDT)
Received: by lacdq2 with SMTP id dq2so43704294lac.1 for <>; Fri, 25 Sep 2015 06:49:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=H1ohVYkPEJDbsbYn5yiY6m6diqI32tSGGO/wKZliF5E=; b=aFRv3qiPJe6sR4yiECIfyV1ZxhjEFrz1aczB1lhPr5OX5xMniMUsYvEkObYeSPEK55 QuMUbJXOG2EZsfCz6ziyH6lkZSEMXZQ6DmVReQfwnH5Kb4pGF2oZrMWHOR3lWvbZUrpY m7wBFGKLW+Aoy4nxIff55ygl2OlLyWSBy7u+rb11tWy95H9e4F0KQo7c5myaEJCn2Xzd WIR0PcnW/V3dzLJjf/vBM72/7/s0oREVXhzn3Vp54/Y59Vd88z7KynEDTWn8IWzcqbLQ 6Zhyc0Evaq5JM9i1WhxBHuuq1jKn97ioYlNFGtjE95aS+7VfmSGRuW6w8S0xJw90ugr8 jthQ==
MIME-Version: 1.0
X-Received: by with SMTP id x2mr1412079lax.120.1443188988061; Fri, 25 Sep 2015 06:49:48 -0700 (PDT)
Received: by with HTTP; Fri, 25 Sep 2015 06:49:47 -0700 (PDT)
In-Reply-To: <>
References: <> <> <> <> <> <> <> <> <>
Date: Fri, 25 Sep 2015 09:49:47 -0400
X-Google-Sender-Auth: lin2wl001FQyA6KZe6N3DKCVG6Q
Message-ID: <>
From: Nick Mathewson <>
To: "Salz, Rich" <>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <>
Cc: "" <>
Subject: Re: [TLS] Encrypted SNI (was: Privacy considerations - identity hiding from eavesdropping in (D)TLS)
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 25 Sep 2015 13:49:52 -0000

On Tue, Sep 22, 2015 at 2:37 PM, Salz, Rich <> wrote:
> We discussed this before.  Not that we can't discuss it again.  Here's a link to slides I presented at the Toronto Interim in July 2015.

Thanks for that link, Rich!

Please forgive me if my analysis has already been gone over, but I
believe that there are at least three problematic aspects in the
argument as presented in your slides.

1) Entrenchment of codependent vulnerabilities

This is a strong antipattern in security design, and it's been
practiced by some of the great minds of the field, but I think it's
fundamentally mistaken. Here's how it works:

There are two systems, A and B.  Each has a problem that enables some
kind of attack. The people who maintain system A say: "There is no
point in fixing A, because any attacker who breaks A could achieve the
same results via B."  But the people who maintain system B say: "There
is no point fixing B because any attacker who breaks B can achieve the
same results via A."

Both groups are using solid logic: neither one of them would
materially improve user security by fixing the vulnerability in their
system.  The Codependent Vulnerability antipattern arises when no
progress is ever made, because each group decides that the problems
outside its control will probably never be fixed.

In your slides, I see several instances of codependent vulnerabilities:

a) Improved DNS security vs Encrypted SNI

The lack of security in current DNS usage is taken to justify not
improving SNI privacy. But in discussions about DNS privacy,
vulnerabilities in other protocols are frequently taken as
justification for not improving DNS privacy.

b) Traffic analysis vs encryption

Traffic analysis is indeed strong today, but it's not omnipotent, and
good research on resisting it is happening all the time.  But if we
take the weaknesses of TLS against traffic analysis a a permanent
feature of the world, then such research will have less opportunity to
bear fruit, since TLS will entrench the problems that
anti-traffic-analysis research cannot yet solve.

c) Technical attacks vs rubber-hose attacks

See point 2 below.

2) Attacks are not equally costly and do not scale equally well.

It's not sufficient to say "This defense will not render the attack
impossible; therefore it is useless"; we also need to consider whether
the defense will render the attack _more expensive_.

Even for regimes unconcerned with fair play and regimes with
significantly intrusive attitudes to civil liberties... intimidating
citizens, applying political pressues, and backdooring infrastructure
are not zero-cost operations.  In nearly all cases, ithese attacks are
more difficult and costly than simply reading bytes off the wire.

3) Censorship vs surveillance.

The analysis in the slides is concerned with attackers against privacy
rather than attackers against availability.  But IMNSHO, both kinds of
attacker are a significant threat to human rights.

Unencrypted SNI makes a censor's job extremely easy.  In today's TLS,
it's trivial to block targeted domains hosted at a provider without
blocking ones where the censors consider access desirable.  Encrypting
SNI would make this kind of blocking more difficult and technically

To be fair, encrypted SNI would probably make trouble for providers
who host some censored and some uncensored services.  Plaintext SNI
does make it easier for censors to be selective, and thereby makes it
easier for hosting providers to avoid conflicts and drama.

best wishes,
Nick Mathewson