IETF Logo Mail Archive

Re: [TLS] "Encrypted" SNI

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 11 May 2017 15:05 UTC

Return-Path: <dkg@fifthhorseman.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BC51F1294E2 for <tls@ietfa.amsl.com>; Thu, 11 May 2017 08:05:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.8
X-Spam-Level:
X-Spam-Status: No, score=0.8 tagged_above=-999 required=5 tests=[BAYES_50=0.8] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hdsTc_gx1k3g for <tls@ietfa.amsl.com>; Thu, 11 May 2017 08:05:08 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [162.247.75.118]) by ietfa.amsl.com (Postfix) with ESMTP id 461D612FC17 for <tls@ietf.org>; Thu, 11 May 2017 07:57:59 -0700 (PDT)
Received: from fifthhorseman.net (unknown [205.232.71.148]) by che.mayfirst.org (Postfix) with ESMTPSA id B4F98F993; Thu, 11 May 2017 10:57:58 -0400 (EDT)
Received: by fifthhorseman.net (Postfix, from userid 1000) id BF6DA2068B; Thu, 11 May 2017 10:21:36 -0400 (EDT)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: Roland Zink <roland@zinks.de>, Christian Huitema <huitema@huitema.net>, tls@ietf.org
In-Reply-To: <95423440-7d9a-6568-0e80-e58e3e27a373@zinks.de>
References: <3768598.32hupQ9b2b@pintsize.usersys.redhat.com> <a6029246-46f6-d698-983f-b668d70e2780@zinks.de> <1be2b15e-2e96-89f4-fe72-7f35a03ae99b@huitema.net> <95423440-7d9a-6568-0e80-e58e3e27a373@zinks.de>
Date: Thu, 11 May 2017 10:21:36 -0400
Message-ID: <87mvajiidr.fsf@fifthhorseman.net>
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/NNBK1tXiiWVTJDRPlcqFBAGxQIo>
Subject: Re: [TLS] "Encrypted" SNI
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 May 2017 15:05:10 -0000

On Thu 2017-05-11 00:03:15 +0200, Roland Zink wrote:
> Not necessarily as you may for example use the path part of a URL to 
> distinguish between services.

if we're talking about HTTPS, this approach raises a series of potential
security issues thanks to the same-origin policy and other host- or
domain-specific features of the web security model.  It doesn't solve
the situation where you'd like the services to be independent.

                --dkg

v2.23.0 | Report a Bug | By Email