Re: [TLS] ESNI and padding
Ben Schwartz <bemasc@google.com> Thu, 20 June 2019 11:21 UTC
Return-Path: <bemasc@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1631712003F for <tls@ietfa.amsl.com>; Thu, 20 Jun 2019 04:21:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.509
X-Spam-Level:
X-Spam-Status: No, score=-17.509 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0AlMueptEaIu for <tls@ietfa.amsl.com>; Thu, 20 Jun 2019 04:21:02 -0700 (PDT)
Received: from mail-ua1-x92e.google.com (mail-ua1-x92e.google.com [IPv6:2607:f8b0:4864:20::92e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5099D12002F for <tls@ietf.org>; Thu, 20 Jun 2019 04:21:02 -0700 (PDT)
Received: by mail-ua1-x92e.google.com with SMTP id v18so1444927uad.12 for <tls@ietf.org>; Thu, 20 Jun 2019 04:21:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=/zAIZAfCHAa3h1EIgGHSpb/HM8mOuxdk5I4577guMXU=; b=rrQfwxGkEKkVM7hk+uMJd8QGI8Q6lwqgSfaDsrKoz00hmCGW9uf0vm/oAA7YYZH2JT h2UpjR14TfH971MTTAdgYu1UZz+KtEPpA3JQQNnOylZ1XfbRGKVmBezJQEN/m0u2ej2D +mhlSNn0XlB5imZCqjx1/FWBmsliCGR+Pw+aqqMRlBDmZ/3vi2UxG6vE3KTtZ2y6cD/m aCeTFvHhSIaB4r3u2wiqMy6wSlV1EiHa+9Oblj7r5VFx5nlKaF+5y1glIx4AP+MQHmWB K9EU0cD1yFhzTRKQL9qLm8Tdj+qMXGZjk1T6gwyTofU1z5vJpv1fOxHtnt/l7BiTDF/U kprg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=/zAIZAfCHAa3h1EIgGHSpb/HM8mOuxdk5I4577guMXU=; b=Q2S/W7C77RvAZ3VGT8guoSvkPKciUA8IdEvCUbrNdljUNQgGJwENTvxq4gof24fZP4 Ucpn23P9lr84zhpq4lygf/Z14/qtH1V46IsbhMVMjBBImdBIdnQ7LToSHisW6pmaMhu6 QfBlHXh26tsdR4Q3eCBYWr2tmkMX1DIA80kuhkn98TLUoDLO2Zdw+y1jd9/1jmZ3Jqmx 6sD0a0DmeYIDiq4nD+cdyGrFgRc0Xs3oKZ2MuhEcb1w0SjNjLqxDh6lhJv9Qkr300lqq 03SwfGVyK2KQfMER5qPxC0Z1B0sv7rH00aXm0OcDjaMIbfgqb4ZOwjPvoHSMiaLwf/Ol 6Sfg==
X-Gm-Message-State: APjAAAVeiOo8n/i56eNW8WofdWkkuqeWPvBwfEO4PqVxmSuokuO/2YOa 7107mJAQWAzecPChgUDyZDFoMBT9Qlp/Q9XobKnvDLQehOs=
X-Google-Smtp-Source: APXvYqyliXjMiDlDKQgTwzniwPhmJ5neQUAouAo+s/ptamHzpT+BxxqRYvfVpukuI+4N4eKnkPNlpHHdH+ouJLjtp1Q=
X-Received: by 2002:a9f:31a2:: with SMTP id v31mr17315158uad.15.1561029660896; Thu, 20 Jun 2019 04:21:00 -0700 (PDT)
MIME-Version: 1.0
References: <eb4bc1a3-ebff-b174-e601-5cf727a7bedd@cs.tcd.ie>
In-Reply-To: <eb4bc1a3-ebff-b174-e601-5cf727a7bedd@cs.tcd.ie>
From: Ben Schwartz <bemasc@google.com>
Date: Thu, 20 Jun 2019 07:20:48 -0400
Message-ID: <CAHbrMsAa+FudZ-t3MOnxa37rz=D_-1=izaPqBk-2nHaO_L9czA@mail.gmail.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Cc: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="000000000000764311058bbf8a68"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/QDRTIKMw7QfERsYRKJe0dl0hmog>
Subject: Re: [TLS] ESNI and padding
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Jun 2019 11:21:06 -0000
On Wed, Jun 19, 2019 at 6:34 PM Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote: ... > What I'd suggest instead: > > - delete the padded_length field from ESNIKeys, so nobody needs > to configure anything for padding > - clients MUST pad to a multiple of N octets where N is in the > spec (I'd suggest N=32, but any number that's longer than > nearly all real TLS server names would be good) > - we RECOMMEND clients randomly add an additional N octets of > padding with probability X%, perhaps with X=10 (btw - am I > right in thinking that if X% is greater than the percentage > of real names that are longer than N, then we're good?) > - we STRONGLY RECOMMEND that servers choose names shorter than > N octets for hidden web sites As you are clearly aware, this approach provides essentially no privacy protection in the case where a user is repeatedly connecting to a very long domain on a server whose other domains are reasonably short. Rather than make a privacy-vs-efficiency tradeoff in the spec, the current text leaves this option to the implementer. For example, within the current protocol (albeit bending the recommendations slightly), an implementer could easily bucket names by length, and offer separate ESNIKeys for each length bucket. I think this is preferable; only the server operator knows their own privacy and efficiency goals. In my view, setting N=32 for the first bucket would reproduce most of the benefits of this proposal without altering the current protocol.
- [TLS] ESNI and padding Stephen Farrell
- Re: [TLS] ESNI and padding Eric Rescorla
- Re: [TLS] ESNI and padding Stephen Farrell
- Re: [TLS] ESNI and padding Ben Schwartz
- Re: [TLS] ESNI and padding Stephen Farrell
- Re: [TLS] ESNI and padding Ben Schwartz
- Re: [TLS] ESNI and padding Eric Rescorla
- Re: [TLS] ESNI and padding Stephen Farrell
- Re: [TLS] ESNI and padding Stephen Farrell
- Re: [TLS] ESNI and padding Christopher Wood