Re: [TLS] Encrypting record headers: practical for TLS 1.3 after all?

Jacob Appelbaum <> Wed, 02 December 2015 17:53 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 70EB71ACD88 for <>; Wed, 2 Dec 2015 09:53:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id sbubkskpJoFd for <>; Wed, 2 Dec 2015 09:53:41 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4001:c06::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 80A6C1ACD86 for <>; Wed, 2 Dec 2015 09:53:41 -0800 (PST)
Received: by ioir85 with SMTP id r85so53976699ioi.1 for <>; Wed, 02 Dec 2015 09:53:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=23+pZ+rCz1PPUFFbBVbocCMb9LOlRgnJNq1Ld2UUxdA=; b=G4rmVXnFejcz2YMm5dlASE04ryy2XgSolE181ELNR3PjHDhLJC2LQJe3gSLoWN7tQ+ 5XkRkAQPwC5rAUBKYgYGO/YcDN7qQwV96MRcZOdHe1ZcGtxRVGDja4MP78wptFuzCuLu wR/eXjC5ThfOoFe4wSK0vdr4yZlQsjxCp0R4O1oFuFG5qLq8d8MsIaJEJLk+UDR4aYFo i30f/2y1RJOHYbzbAAVsnBzej8ZNNNfRUyYPe3+g4Ts/mw77NPRyPxmo2ZookQyL/Ce5 IhTeuzQ8KxqmMFzZVmxAAWLv16h6nI0p3sEqVgYRUkZHb08PQZB2pz3JHQwZeoJBfxNf dPGQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=23+pZ+rCz1PPUFFbBVbocCMb9LOlRgnJNq1Ld2UUxdA=; b=Yx7YF9hqezFaUxUxKcNRalo4sPyfKnVQrQnRrki1YNm1G20hvGM/+8PcoCBUU0RSbn C8FCXftC9Fz6nEPi4dVvBLH5A0GPi15D69DqUSxtIuEcUG4OauJWH0JfeQQFlpU29ETL eAI4I8LEySV1+n+/5yIkqCOosPX1zuyCuwHT6E1yk/I9/TfpIkkwpRc4DduFfVFrpc3R xaFVGVdj5QoZtvDPKX1Y6ZbFFWJThZeZXMaxVIfDRQfZBUMsbkJDAjs5TCuFOpmatU3E vp4JfH+MvzEM3OFCSoFn3d1XQf76E31eNW3r7NxPMeZbkAmZ3MP9Nud1RpuFCm6JHz+T SDGA==
X-Gm-Message-State: ALoCoQmkQQsq7ckmfKI2btj3D42O1hb0feQdjtj1LkbMyPR+lhHXiy/8I8Yxjh3V2RFBN8mdx9R3
MIME-Version: 1.0
X-Received: by with SMTP id l19mr4268720iod.138.1449078820954; Wed, 02 Dec 2015 09:53:40 -0800 (PST)
Received: by with HTTP; Wed, 2 Dec 2015 09:53:40 -0800 (PST)
X-Originating-IP: []
In-Reply-To: <>
References: <> <>
Date: Wed, 02 Dec 2015 17:53:40 +0000
Message-ID: <>
From: Jacob Appelbaum <>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <>
Subject: Re: [TLS] Encrypting record headers: practical for TLS 1.3 after all?
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 02 Dec 2015 17:53:42 -0000

On 12/2/15, Martin Rex <> wrote:
> Jacob Appelbaum wrote:
>> I hope that we'll hide the SNI data by default and I understand that a
>> discussion about encrypted SNI is currently scheduled for some point
>> in the future.
> Hiding SNI data is completely silly security-wise, and any TLSv1.2
> backwards-compatible ClientHello must include a plaintext visible SNI.

Not hiding SNI data is completely silly security wise. SNI data is
used by attackers to perform denial of service attacks and to automate
man-in-the-middle attacks.

We have bare keys in TLS that may also be ephemeral - why would we
want to reveal a selector to the network that we know is used for
active attacks against the protocol?

The question for a few people, myself included, is how we might
protect the SNI data in an efficient manner.

> So your client will have to know a-priori, out-of-band or be configured
> to TLSv1.3-only in order to avoid using a TLSv1.2-compatible ClientHello
> with cleartext SNI.

I think that is false. One could easily use the "cleartext" SNI field
and insert an encrypted value. A hash of the name would be a simple
example but not a secure example, of course.

To the point about TLS 1.2 vs TLS 1.3: Legacy clients will be less
secure and in ways that will only become worse over time. We should
remember that TLS 1.3, while not yet finished or deployed, is a future
legacy protocol. We shouldn't burden the future with the failures of
TLS 1.2 or any other SSL/TLS mistakes of the past.

All the best,