Re: [TLS] Encrypting record headers: practical for TLS 1.3 after all?
Jacob Appelbaum <jacob@appelbaum.net> Fri, 04 December 2015 03:50 UTC
Return-Path: <jacob@appelbaum.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B56E21B2C90 for <tls@ietfa.amsl.com>; Thu, 3 Dec 2015 19:50:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fHwYfDBmSKc1 for <tls@ietfa.amsl.com>; Thu, 3 Dec 2015 19:50:37 -0800 (PST)
Received: from mail-io0-x22b.google.com (mail-io0-x22b.google.com [IPv6:2607:f8b0:4001:c06::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4EC9F1B2C8D for <tls@ietf.org>; Thu, 3 Dec 2015 19:50:37 -0800 (PST)
Received: by ioc74 with SMTP id 74so103441232ioc.2 for <tls@ietf.org>; Thu, 03 Dec 2015 19:50:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=appelbaum-net.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=hgZkQ683GkjKWrdk1OdR6rnk3NgDHiuqkf9POBI/Y3A=; b=ouDEa9scKHT/Czda3dRYxiBAaaySdAPPoG1YFm63tiaEryDsr4x6GHxt9wCxQTwToK XvrDDV8/dl1w4PwMzwUcT8IIrI90FWIfStJco5VLEc5ivl4N52uJUL4oV1RTeCTBW5n2 i+Vu+sbgfMYb5XoiliN9jM9ttaCheRauVkG8OILbNcUAjf624fg1x9CAY+JOKOLMgYmn FiRtsfF5jUN36OaG/Svba4ulQMm4voZysYUIkoo3//NviL5BpIxJKLJMS5uz+BCpH/q2 OvHIEbZeRORfk2CzvRPiU+UXTh1TBIMYO4RsQs2e703y2p+n/+DuUI6XALxgwKqM7b62 QuuA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=hgZkQ683GkjKWrdk1OdR6rnk3NgDHiuqkf9POBI/Y3A=; b=AVxhy0VUvR6nZ+Xh5xrK6mNsyuRsozMvdhdn1NFXYLN1tvl+wIBpi5JA5jUoXOk11H s7WVUq0NfZeRjqZG25iYg7adEu/Z/GBro+jwV29z3RklbMqSiI5ky/haWWHX3LQr3tY+ mwenksh142vYqzmkqApQMW0q1aXapombK/0BokKgw26g7ODA97xa/OPdScp+FZjMblRd 3kJk/mWL/01JlBw0ARsSepZ3VbYsYQUYPSiX9sVr0ZUj5O8JaJyJtP3IPTqmozmzU2MF 43hD7aXXYu88ADTbfuADonY1Gkra/8GpUuB+OiBic7AhI6HKa+SMxIdydz9ddh+KoeIV U+Jg==
X-Gm-Message-State: ALoCoQmLItMGdvwznFuMMP+4bVaGfevr1EAT+awb9gML8h/XRTs6lMfgOYkVX5LfgZ7bypoMTC6T
MIME-Version: 1.0
X-Received: by 10.107.138.28 with SMTP id m28mr14337703iod.24.1449201036644; Thu, 03 Dec 2015 19:50:36 -0800 (PST)
Received: by 10.79.70.71 with HTTP; Thu, 3 Dec 2015 19:50:36 -0800 (PST)
X-Originating-IP: [109.163.234.2]
In-Reply-To: <9A043F3CF02CD34C8E74AC1594475C73F4B9865A@uxcn10-5.UoA.auckland.ac.nz>
References: <CAFggDF3cdjG79cd2uLi0oJo1kOhJOY4Fykt021vuZN+08mb3HA@mail.gmail.com> <20151203165344.C639C1A3A0@ld9781.wdf.sap.corp> <CAFggDF2oJUa=on18GBow1wfQrRnns_tnSP1SLroOfGnNVTpcyg@mail.gmail.com> <9A043F3CF02CD34C8E74AC1594475C73F4B9865A@uxcn10-5.UoA.auckland.ac.nz>
Date: Fri, 04 Dec 2015 03:50:36 +0000
Message-ID: <CAFggDF2ibKE+R9AehAqu1yu+4zpD01+vPY236bGHWFB41BPLrQ@mail.gmail.com>
From: Jacob Appelbaum <jacob@appelbaum.net>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/R9C-XqIfJgQuRnguGxov9DdKw3c>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Encrypting record headers: practical for TLS 1.3 after all?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Dec 2015 03:50:38 -0000
On 12/4/15, Peter Gutmann <pgut001@cs.auckland.ac.nz> wrote: > Jacob Appelbaum <jacob@appelbaum.net> writes: > >>TCP/IP and DNS are out of scope, though obviously related. > > Why are they out of scope? They are out of scope for the TLS working group as far as I understand the organization of the IETF in terms of mandate. Am I incorrect? Should we discuss the privacy failures of IPv6 on this list as well? I'm happy to do so but I think this is out of scope. > You can't just ignore a threat if it's > inconvenient, you need to look at the overall picture. That is exactly what I've been saying over the last several days and really for many years. The collective action failures here are not because I can't see the overall picture but because there is blame shifting. If we look at one specific protocol and solve things, we find that composed with other solutions, we're really working toward an overall solution. > Arguing over > plugging > a mousehole in the corner of the barn is pointless when two of the four > walls > are missing. As Martin has pointed out: > > There are so many ways and places where the servername WILL be leaked, > (URLs, bookmarks, HTTP-Header-Fields, HTTP-Referer headers, etc.) that > bottom line, encrypting SNI amounts to crazy and pointless idea. TLS protects the HTTP headers, bookmarks don't travel across the network and a url needs to be sent by a protocol to be leaked to the network. The client requested hostname is leaked a single time. Plugging that leak by encrypting it is not impossible and that someone might share a URL doesn't mitigate the usefulness of reducing that specific information leakage in TLS. The point is not to hide that a server has a name - the point is to protect a flow within a relevant time frame. This may prevent an adversary from selecting it for storage (ex: XKeyscore selector on cs.auckland.ac.nz) or it may prevent an adversary from doing an active attack from even as lowly as an off-path position having seen just a single or small subset of packets from a given flow. There are other reasons as well. That DNS has problems doesn't mitigate that TLS itself has problems when it stands alone. > > I'm not sure if I'd call it crazy and pointless, just not worthwhile. > You're > leaking server-name information in a great many other locations and ways, > and > encrypted SNIs causes so many problems, that the cost/benefit tradeoff > doesn't > make it worthwhile (which, I guess, could be classed as "pointless"). As a TLS user - I'm only leaking SNI at Tor exit nodes and there is no other choice for me. I'm living in the world where DNS and other channels are not leaking on the same path as my TLS connection. Still, my TLS connections have a lot of information that is available to a sniffer on a Tor exit or XKeyscore on the whole internet. Removal of the SNI field is not an option - encrypting it should be an option, if not a strong default. > > Perhaps someone could write an RFC for a play-with-experimental-features TLS > extension, where implementers could encrypt lengths and SNIs and anything > else > they want, and then test them out in the real world to see what effect it > has. Or they could just call MinimaLT or CurveCP with mandatory Elligator TLS 1.3 and be done with it. All the best, Jacob
- [TLS] Encrypting record headers: practical for TL… Bryan A Ford
- Re: [TLS] Encrypting record headers: practical fo… Henrick Hellström
- Re: [TLS] Encrypting record headers: practical fo… Peter Gutmann
- Re: [TLS] Encrypting record headers: practical fo… Henrick Hellström
- Re: [TLS] Encrypting record headers: practical fo… Roland Zink
- Re: [TLS] Encrypting record headers: practical fo… Henrick Hellström
- Re: [TLS] Encrypting record headers: practical fo… Henrick Hellström
- Re: [TLS] Encrypting record headers: practical fo… Roland Zink
- Re: [TLS] Encrypting record headers: practical fo… Tony Arcieri
- Re: [TLS] Encrypting record headers: practical fo… Watson Ladd
- Re: [TLS] Encrypting record headers: practical fo… Henrick Hellström
- Re: [TLS] Encrypting record headers: practical fo… Bryan A Ford
- Re: [TLS] Encrypting record headers: practical fo… Bryan A Ford
- Re: [TLS] Encrypting record headers: practical fo… Henrick Hellström
- Re: [TLS] Encrypting record headers: practical fo… Bryan A Ford
- Re: [TLS] Encrypting record headers: practical fo… Bill Cox
- Re: [TLS] Encrypting record headers: practical fo… Nikos Mavrogiannopoulos
- Re: [TLS] Encrypting record headers: practical fo… Dave Garrett
- Re: [TLS] Encrypting record headers: practical fo… Peter Gutmann
- Re: [TLS] Encrypting record headers: practical fo… Peter Gutmann
- Re: [TLS] Encrypting record headers: practical fo… Short, Todd
- Re: [TLS] Encrypting record headers: practical fo… Bryan A Ford
- Re: [TLS] Encrypting record headers: practical fo… Bryan A Ford
- Re: [TLS] Encrypting record headers: practical fo… Bryan A Ford
- Re: [TLS] Encrypting record headers: practical fo… Bryan A Ford
- Re: [TLS] Encrypting record headers: practical fo… Peter Gutmann
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Encrypting record headers: practical fo… Hubert Kario
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Encrypting record headers: practical fo… Viktor Dukhovni
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Encrypting record headers: practical fo… Fabrice Gautier
- Re: [TLS] Encrypting record headers: practical fo… Jim Schaad
- Re: [TLS] Encrypting record headers: practical fo… Yoav Nir
- Re: [TLS] Encrypting record headers: practical fo… Hubert Kario
- Re: [TLS] Encrypting record headers: practical fo… Aaron Zauner
- Re: [TLS] Encrypting record headers: practical fo… Yoav Nir
- Re: [TLS] Encrypting record headers: practical fo… John Mattsson
- Re: [TLS] Encrypting record headers: practical fo… Bryan A Ford
- Re: [TLS] Encrypting record headers: practical fo… Bryan A Ford
- [TLS] Fully encrypted and authenticated headers (… Bryan A Ford
- Re: [TLS] Fully encrypted and authenticated heade… Dmitry Belyavsky
- Re: [TLS] Fully encrypted and authenticated heade… Bryan A Ford
- Re: [TLS] Encrypting record headers: practical fo… Fabrice Gautier
- Re: [TLS] Encrypting record headers: practical fo… Peter Gutmann
- Re: [TLS] Fully encrypted and authenticated heade… Martin Thomson
- Re: [TLS] Fully encrypted and authenticated heade… Viktor Dukhovni
- Re: [TLS] Encrypting record headers: practical fo… Yoav Nir
- Re: [TLS] Encrypting record headers: practical fo… Yoav Nir
- Re: [TLS] Fully encrypted and authenticated heade… Dmitry Belyavsky
- Re: [TLS] Fully encrypted and authenticated heade… Bryan Ford
- Re: [TLS] Fully encrypted and authenticated heade… Bryan Ford
- Re: [TLS] Encrypting record headers: practical fo… Bryan Ford
- Re: [TLS] Encrypting record headers: practical fo… Bryan Ford
- Re: [TLS] Encrypting record headers: practical fo… GUBALLA, JENS (JENS)
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Encrypting record headers: practical fo… Yoav Nir
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Encrypting record headers: practical fo… Hubert Kario
- Re: [TLS] Encrypting record headers: practical fo… Yoav Nir
- Re: [TLS] Encrypting record headers: practical fo… Eric Rescorla
- Re: [TLS] Fully encrypted and authenticated heade… Eric Rescorla
- Re: [TLS] Encrypting record headers: practical fo… Mike Copley
- Re: [TLS] Fully encrypted and authenticated heade… Jacob Appelbaum
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Fully encrypted and authenticated heade… Watson Ladd
- Re: [TLS] Encrypting record headers: practical fo… Salz, Rich
- Re: [TLS] Encrypting record headers: practical fo… Martin Rex
- Re: [TLS] Encrypting record headers: practical fo… Stephen Farrell
- Re: [TLS] Fully encrypted and authenticated heade… Eric Rescorla
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Encrypting record headers: practical fo… Salz, Rich
- Re: [TLS] Encrypting record headers: practical fo… Eric Rescorla
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Encrypting record headers: practical fo… Salz, Rich
- Re: [TLS] Encrypting record headers: practical fo… Martin Rex
- Re: [TLS] Encrypting record headers: practical fo… Ilari Liusvaara
- Re: [TLS] Encrypting record headers: practical fo… Fabrice Gautier
- Re: [TLS] Encrypting record headers: practical fo… Dave Garrett
- Re: [TLS] Encrypting record headers: practical fo… Peter Gutmann
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Encrypting record headers: practical fo… Salz, Rich
- Re: [TLS] Encrypting record headers: practical fo… Eric Mill
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Encrypting record headers: practical fo… Martin Thomson
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Encrypting record headers: practical fo… Viktor Dukhovni
- Re: [TLS] Fully encrypted and authenticated heade… Bryan A Ford
- Re: [TLS] Encrypting record headers: practical fo… Bryan A Ford
- Re: [TLS] Encrypting record headers: practical fo… Bryan A Ford
- Re: [TLS] Encrypting record headers: practical fo… Bryan A Ford
- Re: [TLS] Fully encrypted and authenticated heade… Jacob Appelbaum
- Re: [TLS] Encrypting record headers: practical fo… Aaron Zauner
- Re: [TLS] Encrypting record headers: practical fo… Salz, Rich
- Re: [TLS] Encrypting record headers: practical fo… Aaron Zauner
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Fully encrypted and authenticated heade… Watson Ladd
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Fully encrypted and authenticated heade… Jacob Appelbaum
- Re: [TLS] Encrypting record headers: practical fo… Aaron Zauner
- Re: [TLS] Encrypting record headers: practical fo… Aaron Zauner
- Re: [TLS] Encrypting record headers: practical fo… Martin Rex
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Encrypting record headers: practical fo… Peter Gutmann
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Fully encrypted and authenticated heade… Valery Smyslov
- Re: [TLS] Fully encrypted and authenticated heade… Bryan Ford
- Re: [TLS] Encrypting record headers: practical fo… GUBALLA, JENS (JENS)
- Re: [TLS] Fully encrypted and authenticated heade… Valery Smyslov
- Re: [TLS] Fully encrypted and authenticated heade… Jacob Appelbaum
- Re: [TLS] Fully encrypted and authenticated heade… Jeff Burdges
- Re: [TLS] Encrypting record headers: practical fo… Peter Gutmann
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum