Re: [TLS] About encrypting SNI
Erik Nygren <erik+ietf@nygren.org> Wed, 16 April 2014 18:56 UTC
Return-Path: <nygren@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AEAE11A02A8 for <tls@ietfa.amsl.com>; Wed, 16 Apr 2014 11:56:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 97lGEcsE_VZy for <tls@ietfa.amsl.com>; Wed, 16 Apr 2014 11:56:32 -0700 (PDT)
Received: from mail-vc0-x22f.google.com (mail-vc0-x22f.google.com [IPv6:2607:f8b0:400c:c03::22f]) by ietfa.amsl.com (Postfix) with ESMTP id 9AED31A02A7 for <tls@ietf.org>; Wed, 16 Apr 2014 11:56:31 -0700 (PDT)
Received: by mail-vc0-f175.google.com with SMTP id lh14so11050788vcb.6 for <tls@ietf.org>; Wed, 16 Apr 2014 11:56:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=VgBe//Onpfj5Wjsz3Hi1Av6kyMGuCrrDQhHFZebkW+4=; b=m1RjnKZB3aNh0E0EvmUMHZz0swGOY3XeL+RoSW8Ntmoe+ziEJWFXZciMsqPdSCYB3J PI9i0u4jN+7Bn6gXVyRGX4fwqukHh0ypE6e/QISVthNc+miGDl+NOVWolSK7QHVJYHTm Q01BBoSGd6V1TAtcjYSP25k+lc96i4WdgaAP/7UgI9q6kxo5HR4Yqo1ynETzAK6MxynJ dGB/0A4RCngJfz/K1vtlKN3UzBb5k93xWfs766y1x8LiSV90gxBjB72HhH2vRXeS5W8a 33tvFIyrvgbMyvn9+y68Oxj42RM0aJDslJZ1oPw0xEG1nO51irBPuWrsU+5FNEUovK9x 0VgA==
MIME-Version: 1.0
X-Received: by 10.52.3.129 with SMTP id c1mr1497102vdc.37.1397674588137; Wed, 16 Apr 2014 11:56:28 -0700 (PDT)
Sender: nygren@gmail.com
Received: by 10.221.18.70 with HTTP; Wed, 16 Apr 2014 11:56:27 -0700 (PDT)
In-Reply-To: <CALCETrU6zn52yX=Q-_h4epR6W9+f2oTr3yfyK1sxiwGa2dvWGw@mail.gmail.com>
References: <2A0EFB9C05D0164E98F19BB0AF3708C7120A04ED40@USMBX1.msg.corp.akamai.com> <534C3D5A.3020406@fifthhorseman.net> <474FAE5F-DE7D-4140-931E-409325168487@akamai.com> <D2CB0B72-A548-414C-A926-A9AA45B962DA@gmail.com> <2A0EFB9C05D0164E98F19BB0AF3708C7120B490162@USMBX1.msg.corp.akamai.com> <CACsn0cmusUc3Rsb2Wof+dn0PEg3P0bPC3ZdJ75b9kkZ5LDGu_A@mail.gmail.com> <534DB18A.4060408@mit.edu> <CABcZeBOJ7k8Hb9QqCAxJ_uev9g_cb4j361dp7ANvnhOOKsT7NA@mail.gmail.com> <CA+cU71kFo6EihTVUrRRtBYEHbZwCa9nZo-awt4Sub2qXcKHC7g@mail.gmail.com> <m2k3apmjk2.fsf@usma1mc-0csx92.kendall.corp.akamai.com> <CALCETrU6zn52yX=Q-_h4epR6W9+f2oTr3yfyK1sxiwGa2dvWGw@mail.gmail.com>
Date: Wed, 16 Apr 2014 14:56:27 -0400
X-Google-Sender-Auth: Xs5TE0dLhXtOqsqLKJIfK-J_V6Y
Message-ID: <CAKC-DJgNvF=hhwoyRNkJ3vKz9EZ_JpoM84bCip6eProLwsQsEg@mail.gmail.com>
From: Erik Nygren <erik+ietf@nygren.org>
To: Andy Lutomirski <luto@amacapital.net>
Content-Type: multipart/alternative; boundary="20cf30363731566d6e04f72d7983"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/OLdgDMZwkTSEiDj53IjeMeRoclg
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] About encrypting SNI
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Apr 2014 18:56:36 -0000
If we do anything with DNS, we need to be very conscious that individual records change asynchronously from other records. For example, we can't assume that an A/AAAA record and a DANE record refer to the same operator (webserver, hosting provider, CDN, etc). In order for anything along these lines to be deployable, it must be possible for everything associated with a particular name->service binding to change together. In addition, browser vendors are extremely wary of doing extra DNS lookups synchronous to a request which is one reason that SRV records aren't in-use today for HTTP(S). After thinking about this some, if we are looking towards a future world where additional DNS security and privacy has been added, a new "service binding" record type (I'll call it a "B-record") might help partially address a number of these issues and raise the bar a little about SNI privacy. The B-record would glue together information needed for establishing a connection (and provide a client with a number of options to choose from). For example: _https._b.www.example.com B "AAAA=2001::abcd, port=443, alpn=h2s, handshake_ecdhe_key=68sgjbjfsd8fyjgbsgd7863, handshake_token=5sdfkj335, pri=5, dane_cert_name=version83.ca.example.com" _https._b.www.example.com B "A=1.2.3.4, port=443, alpn=h2s, handshake_ecdhe_key=68sgjbjfsd8fyjgbsgd7863, handshake_token=5sdfkj335, pri=5, dane_cert_name=version83.ca.example.com" _https._b.www.example.com B "A=1.2.3.5, port=443, alpn=h1s, handshake_ecdhe_key=438nkgj8utjs89we0t8tjer, handshake_token=asdjhk887, pri=3, dane_cert_name=version82.ca.example.com" Defines a set of HTTPS service bindings for a few sets of IP addresses with different ALPN settings. In the above, the handshake_ecdhe_key is the public part of the server key to encrypt the handshake (including SNI to and the handshake_token is the "opaque" value from ekr's flows proposal. Clients could select between which of them they'd use based on their ALPN support. At least for HTTP(S), something like this might be more deployable than current options. Note that the handshake_token (sent in the clear in the TLS handshake like the "opaque" value) will leak information to passive attackers who are building up correlation tables. Also if the key is used *only* for the handshake, it's not clear that this is any worse against active attackers even if DNSSEC is not used than the "new flows" proposal. (In both cases a MitM can provide an alternate handshake key or build up a table of ids to SNIs.) Clearly DNSSEC would need to be used for *every* step before DANE could be used, however. I think the question from above arises of whether it is worth doing all of the engineering work here if there's still no fundamental way to guard against active attackers or resourceful passive attackers. Some of this will come down to trade-offs. Erik On Wed, Apr 16, 2014 at 10:39 AM, Andy Lutomirski <luto@amacapital.net>wrote: > On Wed, Apr 16, 2014 at 7:32 AM, Brian Sniffen <bsniffen@akamai.com> > wrote: > >> Furthermore, no offence to Rich, but I suspect if you told him "We'll > >> build the DNS subdomain forwarding, and you can use that or just not > >> encrypted SNI", he will choose not to use it. Maybe I'm wrong, but > >> since he argued against it initially, I'll make the leap. So making > >> it opt-in seems to be as equivalent to building an optional feature > >> that almost no one will use from the beginning. > > > > Yes: we will not use encrypted SNI. We can't. We need to put thousands > > of HTTP hosts with incompatible crypto requirements on each IP address. > > Per-IP keys don't help us very much. > > Would a protocol along the lines of my strawman work for you? I > explicitly did not require that the eventual cipher suite match for > different SNI values. I even made it possible to for whatever > receives the initial SSL connection to strip the SNI encryption and > hand the connection of to something else, without sharing any > long-term secrets between the machines in question. > > --Andy > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI Martin Thomson
- Re: [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI Watson Ladd
- Re: [TLS] About encrypting SNI Russ Housley
- Re: [TLS] About encrypting SNI Eric Rescorla
- Re: [TLS] About encrypting SNI Brian Sniffen
- Re: [TLS] About encrypting SNI Alyssa Rowan
- Re: [TLS] About encrypting SNI Nick Mathewson
- Re: [TLS] About encrypting SNI Daniel Kahn Gillmor
- Re: [TLS] About encrypting SNI Sniffen, Brian
- Re: [TLS] About encrypting SNI Yoav Nir
- Re: [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI Seth David Schoen
- Re: [TLS] About encrypting SNI Nico Williams
- Re: [TLS] About encrypting SNI Watson Ladd
- Re: [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI Yoav Nir
- Re: [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI Watson Ladd
- Re: [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI Eric Rescorla
- Re: [TLS] About encrypting SNI Alyssa Rowan
- Re: [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI Martin Rex
- Re: [TLS] About encrypting SNI Eric Rescorla
- Re: [TLS] About encrypting SNI Eric Rescorla
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Eric Rescorla
- Re: [TLS] About encrypting SNI Tom Ritter
- Re: [TLS] About encrypting SNI Brian Sniffen
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI Eric Rescorla
- Re: [TLS] About encrypting SNI Watson Ladd
- Re: [TLS] About encrypting SNI Brian Sniffen
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Sniffen, Brian
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Alyssa Rowan
- Re: [TLS] About encrypting SNI Michael D'Errico
- Re: [TLS] About encrypting SNI James Cloos
- Re: [TLS] About encrypting SNI Jacob Appelbaum
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Erik Nygren
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Jacob Appelbaum
- [TLS] Forged RST (was: About encrypting SNI) Alyssa Rowan
- Re: [TLS] Forged RST (was: About encrypting SNI) Eric Rescorla
- Re: [TLS] About encrypting SNI Paul Lambert
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Erik Nygren
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] Forged RST (was: About encrypting SNI) Yoav Nir
- Re: [TLS] About encrypting SNI Sniffen, Brian
- Re: [TLS] Forged RST (was: About encrypting SNI) Erik Nygren
- Re: [TLS] About encrypting SNI James Cloos
- Re: [TLS] Forged RST Stephen Farrell
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] Forged RST (was: About encrypting SNI) Nico Williams
- Re: [TLS] About encrypting SNI Erik Nygren
- Re: [TLS] About encrypting SNI Sniffen, Brian
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Martin Thomson
- Re: [TLS] About encrypting SNI Brian Sniffen
- Re: [TLS] About encrypting SNI Eric Rescorla
- Re: [TLS] About encrypting SNI Sniffen, Brian
- Re: [TLS] About encrypting SNI Erik Nygren
- Re: [TLS] Forged RST (was: About encrypting SNI) Bill Frantz
- Re: [TLS] Forged RST (was: About encrypting SNI) Yoav Nir
- Re: [TLS] Forged RST (was: About encrypting SNI) Bill Frantz
- Re: [TLS] Forged RST (was: About encrypting SNI) Eric Rescorla
- Re: [TLS] Forged RST (was: About encrypting SNI) Watson Ladd
- Re: [TLS] Forged RST (was: About encrypting SNI) Eric Rescorla
- Re: [TLS] About encrypting SNI Marsh Ray
- Re: [TLS] About encrypting SNI Martin Rex
- Re: [TLS] About encrypting SNI David Holmes
- Re: [TLS] About encrypting SNI Brian Sniffen
- Re: [TLS] About encrypting SNI Marsh Ray
- Re: [TLS] About encrypting SNI Marsh Ray
- Re: [TLS] About encrypting SNI Nico Williams
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Michael D'Errico
- Re: [TLS] About encrypting SNI Watson Ladd
- Re: [TLS] About encrypting SNI Erik Nygren
- Re: [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI Daniel Kahn Gillmor
- Re: [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI - Traffic Analysis… Michael StJohns
- Re: [TLS] About encrypting SNI - Traffic Analysis… Nico Williams
- Re: [TLS] About encrypting SNI - Traffic Analysis… Stephen Farrell
- Re: [TLS] About encrypting SNI - Traffic Analysis… Martin Rex
- Re: [TLS] About encrypting SNI Nikos Mavrogiannopoulos
- Re: [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI Stephen Farrell
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI - Traffic Analysis… Martin Thomson
- Re: [TLS] About encrypting SNI - Traffic Analysis… Tom Ritter
- Re: [TLS] About encrypting SNI Brian Sniffen
- Re: [TLS] About encrypting SNI Fabrice
- Re: [TLS] About encrypting SNI Jacob Appelbaum
- Re: [TLS] About encrypting SNI Paul Lambert
- Re: [TLS] About encrypting SNI Yoav Nir
- Re: [TLS] About encrypting SNI Daniel Kahn Gillmor
- Re: [TLS] About encrypting SNI Tim Bray
- Re: [TLS] About encrypting SNI Jacob Appelbaum
- Re: [TLS] About encrypting SNI Paul Hoffman
- Re: [TLS] About encrypting SNI Viktor Dukhovni
- Re: [TLS] About encrypting SNI Brian Sniffen
- Re: [TLS] About encrypting SNI Yoav Nir