Re: [TLS] Encrypting record headers: practical for TLS 1.3 after all?

Jacob Appelbaum <> Fri, 04 December 2015 03:50 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id B56E21B2C90 for <>; Thu, 3 Dec 2015 19:50:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id fHwYfDBmSKc1 for <>; Thu, 3 Dec 2015 19:50:37 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4001:c06::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 4EC9F1B2C8D for <>; Thu, 3 Dec 2015 19:50:37 -0800 (PST)
Received: by ioc74 with SMTP id 74so103441232ioc.2 for <>; Thu, 03 Dec 2015 19:50:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=hgZkQ683GkjKWrdk1OdR6rnk3NgDHiuqkf9POBI/Y3A=; b=ouDEa9scKHT/Czda3dRYxiBAaaySdAPPoG1YFm63tiaEryDsr4x6GHxt9wCxQTwToK XvrDDV8/dl1w4PwMzwUcT8IIrI90FWIfStJco5VLEc5ivl4N52uJUL4oV1RTeCTBW5n2 i+Vu+sbgfMYb5XoiliN9jM9ttaCheRauVkG8OILbNcUAjf624fg1x9CAY+JOKOLMgYmn FiRtsfF5jUN36OaG/Svba4ulQMm4voZysYUIkoo3//NviL5BpIxJKLJMS5uz+BCpH/q2 OvHIEbZeRORfk2CzvRPiU+UXTh1TBIMYO4RsQs2e703y2p+n/+DuUI6XALxgwKqM7b62 QuuA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=hgZkQ683GkjKWrdk1OdR6rnk3NgDHiuqkf9POBI/Y3A=; b=AVxhy0VUvR6nZ+Xh5xrK6mNsyuRsozMvdhdn1NFXYLN1tvl+wIBpi5JA5jUoXOk11H s7WVUq0NfZeRjqZG25iYg7adEu/Z/GBro+jwV29z3RklbMqSiI5ky/haWWHX3LQr3tY+ mwenksh142vYqzmkqApQMW0q1aXapombK/0BokKgw26g7ODA97xa/OPdScp+FZjMblRd 3kJk/mWL/01JlBw0ARsSepZ3VbYsYQUYPSiX9sVr0ZUj5O8JaJyJtP3IPTqmozmzU2MF 43hD7aXXYu88ADTbfuADonY1Gkra/8GpUuB+OiBic7AhI6HKa+SMxIdydz9ddh+KoeIV U+Jg==
X-Gm-Message-State: ALoCoQmLItMGdvwznFuMMP+4bVaGfevr1EAT+awb9gML8h/XRTs6lMfgOYkVX5LfgZ7bypoMTC6T
MIME-Version: 1.0
X-Received: by with SMTP id m28mr14337703iod.24.1449201036644; Thu, 03 Dec 2015 19:50:36 -0800 (PST)
Received: by with HTTP; Thu, 3 Dec 2015 19:50:36 -0800 (PST)
X-Originating-IP: []
In-Reply-To: <>
References: <> <> <> <>
Date: Fri, 04 Dec 2015 03:50:36 +0000
Message-ID: <>
From: Jacob Appelbaum <>
To: Peter Gutmann <>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <>
Cc: "" <>
Subject: Re: [TLS] Encrypting record headers: practical for TLS 1.3 after all?
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 04 Dec 2015 03:50:38 -0000

On 12/4/15, Peter Gutmann <> wrote:
> Jacob Appelbaum <> writes:
>>TCP/IP and DNS are out of scope, though obviously related.
> Why are they out of scope?

They are out of scope for the TLS working group as far as I understand
the organization of the IETF in terms of mandate. Am I incorrect?
Should we discuss the privacy failures of IPv6 on this list as well?
I'm happy to do so but I think this is out of scope.

> You can't just ignore a threat if it's
> inconvenient, you need to look at the overall picture.

That is exactly what I've been saying over the last several days and
really for many years. The collective action failures here are not
because I can't see the overall picture but because there is blame
shifting. If we look at one specific protocol and solve things, we
find that composed with other solutions, we're really working toward
an overall solution.

> Arguing over
> plugging
> a mousehole in the corner of the barn is pointless when two of the four
> walls
> are missing.  As Martin has pointed out:
>   There are so many ways and places where the servername WILL be leaked,
>   (URLs, bookmarks, HTTP-Header-Fields,  HTTP-Referer headers, etc.) that
>   bottom line, encrypting SNI amounts to crazy and pointless idea.

TLS protects the HTTP headers, bookmarks don't travel across the
network and a url needs to be sent by a protocol to be leaked to the
network. The client requested hostname is leaked a single time.
Plugging that leak by encrypting it is not impossible and that someone
might share a URL doesn't mitigate the usefulness of reducing that
specific information leakage in TLS.

The point is not to hide that a server has a name - the point is to
protect a flow within a relevant time frame. This may prevent an
adversary from selecting it for storage (ex: XKeyscore selector on or it may prevent an adversary from doing an active
attack from even as lowly as an off-path position having seen just a
single or small subset of packets from a given flow. There are other
reasons as well.

That DNS has problems doesn't mitigate that TLS itself has problems
when it stands alone.

> I'm not sure if I'd call it crazy and pointless, just not worthwhile.
> You're
> leaking server-name information in a great many other locations and ways,
> and
> encrypted SNIs causes so many problems, that the cost/benefit tradeoff
> doesn't
> make it worthwhile (which, I guess, could be classed as "pointless").

As a TLS user - I'm only leaking SNI at Tor exit nodes and there is no
other choice for me. I'm living in the world where DNS and other
channels are not leaking on the same path as my TLS connection. Still,
my TLS connections have a lot of information that is available to a
sniffer on a Tor exit or XKeyscore on the whole internet. Removal of
the SNI field is not an option - encrypting it should be an option, if
not a strong default.

> Perhaps someone could write an RFC for a play-with-experimental-features TLS
> extension, where implementers could encrypt lengths and SNIs and anything
> else
> they want, and then test them out in the real world to see what effect it
> has.

Or they could just call MinimaLT or CurveCP with mandatory Elligator
TLS 1.3 and be done with it.

All the best,