Re: [TLS] Encrypting record headers: practical for TLS 1.3 after all?

Jacob Appelbaum <jacob@appelbaum.net> Wed, 02 December 2015 17:53 UTC

Return-Path: <jacob@appelbaum.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 70EB71ACD88 for <tls@ietfa.amsl.com>; Wed, 2 Dec 2015 09:53:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sbubkskpJoFd for <tls@ietfa.amsl.com>; Wed, 2 Dec 2015 09:53:41 -0800 (PST)
Received: from mail-io0-x232.google.com (mail-io0-x232.google.com [IPv6:2607:f8b0:4001:c06::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 80A6C1ACD86 for <tls@ietf.org>; Wed, 2 Dec 2015 09:53:41 -0800 (PST)
Received: by ioir85 with SMTP id r85so53976699ioi.1 for <tls@ietf.org>; Wed, 02 Dec 2015 09:53:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=appelbaum-net.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=23+pZ+rCz1PPUFFbBVbocCMb9LOlRgnJNq1Ld2UUxdA=; b=G4rmVXnFejcz2YMm5dlASE04ryy2XgSolE181ELNR3PjHDhLJC2LQJe3gSLoWN7tQ+ 5XkRkAQPwC5rAUBKYgYGO/YcDN7qQwV96MRcZOdHe1ZcGtxRVGDja4MP78wptFuzCuLu wR/eXjC5ThfOoFe4wSK0vdr4yZlQsjxCp0R4O1oFuFG5qLq8d8MsIaJEJLk+UDR4aYFo i30f/2y1RJOHYbzbAAVsnBzej8ZNNNfRUyYPe3+g4Ts/mw77NPRyPxmo2ZookQyL/Ce5 IhTeuzQ8KxqmMFzZVmxAAWLv16h6nI0p3sEqVgYRUkZHb08PQZB2pz3JHQwZeoJBfxNf dPGQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=23+pZ+rCz1PPUFFbBVbocCMb9LOlRgnJNq1Ld2UUxdA=; b=Yx7YF9hqezFaUxUxKcNRalo4sPyfKnVQrQnRrki1YNm1G20hvGM/+8PcoCBUU0RSbn C8FCXftC9Fz6nEPi4dVvBLH5A0GPi15D69DqUSxtIuEcUG4OauJWH0JfeQQFlpU29ETL eAI4I8LEySV1+n+/5yIkqCOosPX1zuyCuwHT6E1yk/I9/TfpIkkwpRc4DduFfVFrpc3R xaFVGVdj5QoZtvDPKX1Y6ZbFFWJThZeZXMaxVIfDRQfZBUMsbkJDAjs5TCuFOpmatU3E vp4JfH+MvzEM3OFCSoFn3d1XQf76E31eNW3r7NxPMeZbkAmZ3MP9Nud1RpuFCm6JHz+T SDGA==
X-Gm-Message-State: ALoCoQmkQQsq7ckmfKI2btj3D42O1hb0feQdjtj1LkbMyPR+lhHXiy/8I8Yxjh3V2RFBN8mdx9R3
MIME-Version: 1.0
X-Received: by 10.107.137.19 with SMTP id l19mr4268720iod.138.1449078820954; Wed, 02 Dec 2015 09:53:40 -0800 (PST)
Received: by 10.79.70.71 with HTTP; Wed, 2 Dec 2015 09:53:40 -0800 (PST)
X-Originating-IP: [89.46.101.168]
In-Reply-To: <20151202160837.6016A1A39B@ld9781.wdf.sap.corp>
References: <CAFggDF3HP5u0YP0UP_HrrZnrTnzc-CD1EG0grZBcb5sB7A2fAA@mail.gmail.com> <20151202160837.6016A1A39B@ld9781.wdf.sap.corp>
Date: Wed, 02 Dec 2015 17:53:40 +0000
Message-ID: <CAFggDF0D3Rgav-4xg-11u0igMyMXvAWT+JNt2r1xyQnpvm08Qw@mail.gmail.com>
From: Jacob Appelbaum <jacob@appelbaum.net>
To: mrex@sap.com
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/QCtoViSxJbyojZ9ID1uzUusz_LA>
Cc: tls@ietf.org
Subject: Re: [TLS] Encrypting record headers: practical for TLS 1.3 after all?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Dec 2015 17:53:42 -0000

On 12/2/15, Martin Rex <mrex@sap.com> wrote:
> Jacob Appelbaum wrote:
>>
>> I hope that we'll hide the SNI data by default and I understand that a
>> discussion about encrypted SNI is currently scheduled for some point
>> in the future.
>
> Hiding SNI data is completely silly security-wise, and any TLSv1.2
> backwards-compatible ClientHello must include a plaintext visible SNI.
>

Not hiding SNI data is completely silly security wise. SNI data is
used by attackers to perform denial of service attacks and to automate
man-in-the-middle attacks.

We have bare keys in TLS that may also be ephemeral - why would we
want to reveal a selector to the network that we know is used for
active attacks against the protocol?

The question for a few people, myself included, is how we might
protect the SNI data in an efficient manner.

> So your client will have to know a-priori, out-of-band or be configured
> to TLSv1.3-only in order to avoid using a TLSv1.2-compatible ClientHello
> with cleartext SNI.
>

I think that is false. One could easily use the "cleartext" SNI field
and insert an encrypted value. A hash of the name would be a simple
example but not a secure example, of course.

To the point about TLS 1.2 vs TLS 1.3: Legacy clients will be less
secure and in ways that will only become worse over time. We should
remember that TLS 1.3, while not yet finished or deployed, is a future
legacy protocol. We shouldn't burden the future with the failures of
TLS 1.2 or any other SSL/TLS mistakes of the past.

All the best,
Jacob