Re: [TLS] Encrypted SNI (was: Privacy considerations - identity hiding from eavesdropping in (D)TLS)

Dave Garrett <davemgarrett@gmail.com> Fri, 28 August 2015 17:01 UTC

Return-Path: <davemgarrett@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 66FBD1B2E01 for <tls@ietfa.amsl.com>; Fri, 28 Aug 2015 10:01:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n279JNoB7bgL for <tls@ietfa.amsl.com>; Fri, 28 Aug 2015 10:01:52 -0700 (PDT)
Received: from mail-qg0-x231.google.com (mail-qg0-x231.google.com [IPv6:2607:f8b0:400d:c04::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 28A8C1B2DE7 for <tls@ietf.org>; Fri, 28 Aug 2015 10:01:52 -0700 (PDT)
Received: by qgi69 with SMTP id 69so3792148qgi.1 for <tls@ietf.org>; Fri, 28 Aug 2015 10:01:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:subject:date:user-agent:cc:references:in-reply-to :mime-version:content-type:content-transfer-encoding:message-id; bh=HvmYclU4RUZXkCJ76til8TERFjsBf/ZQcdaRMIErrd8=; b=w+MjuEUvsjs1bWilVuWaT2DCXu1SAFxxw9twCRRejXGanmnOwve+51hXf05tfJbL0q PA6mWttFAm+wsmBqFadzoBb2ltsXUygNVbEeby90COC2jhX0+pY9MqU0zEdiZCnO4L2x 2bRHXBQT32DNS2ndaSP1GgwKMizU01aVfmek/6vs3lUuLKhp421uJsuIuXl0F58Amm3t Byl967bhXOJjN0SnZ1cgQVGmbkAQOFM4T29viHxQ0FDDEYQ1Frozo08FqUGQjE/Gawqo i/74e0Ln0WTqfXm0daUchSw8ZFE4TORbSDa3yQv9G43SDtIdzznwB2FbfThGFmNEvJpT Ro7w==
X-Received: by 10.140.133.84 with SMTP id 81mr18614849qhf.13.1440781311325; Fri, 28 Aug 2015 10:01:51 -0700 (PDT)
Received: from dave-laptop.localnet (pool-72-94-152-197.phlapa.fios.verizon.net. [72.94.152.197]) by smtp.gmail.com with ESMTPSA id b16sm3804297qkj.1.2015.08.28.10.01.50 (version=TLSv1 cipher=RC4-SHA bits=128/128); Fri, 28 Aug 2015 10:01:50 -0700 (PDT)
From: Dave Garrett <davemgarrett@gmail.com>
To: tls@ietf.org
Date: Fri, 28 Aug 2015 13:01:49 -0400
User-Agent: KMail/1.13.5 (Linux/2.6.32-74-generic-pae; KDE/4.4.5; i686; ; )
References: <CAL6x8mchyh2Qpqcd5Rv-rXgZ+1_CAbV7vkib+-yU4DEDFx82Yg@mail.gmail.com> <20150828162251.GM9021@mournblade.imrryr.org> <ff810758165f48198e714af899c04e8f@ustx2ex-dag1mb2.msg.corp.akamai.com>
In-Reply-To: <ff810758165f48198e714af899c04e8f@ustx2ex-dag1mb2.msg.corp.akamai.com>
MIME-Version: 1.0
Content-Type: Text/Plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <201508281301.49878.davemgarrett@gmail.com>
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/Q86gu5bhQokK0Kxn6ozvORDWYSw>
Subject: Re: [TLS] Encrypted SNI (was: Privacy considerations - identity hiding from eavesdropping in (D)TLS)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Aug 2015 17:01:53 -0000

On Friday, August 28, 2015 12:33:31 pm Salz, Rich wrote:
> > And how often will the same client visit multiple servers at the same
> > transport address?
> 
> Anyone who visits sites hosted by a CDN.  And, I suspect, many large portals.

How's it done with IPv6, generally? Are there setups where everyone is sharing a v6 IP? We could eventually get to the point where a reverse DNS lookup is all that's needed for everyone if things were set up smartly. Probably a better setup for things to work, but worse for passive surveillance. (though, IPv6 could eventually let clients randomize their IP frequently, which helps some things; getting off-topic here, though)

> > I don't really see this as viable or worth the effort.
> 
> Agree.

I agree that it's a lot of effort for relatively little gain. I might be worth considering, but if the consensus is that TLS just isn't designed to do this easily enough to be worth it, then I don't really dispute a decision to just drop the concept.


Dave