Re: [TLS] Call for adoption of draft-vvv-tls-cross-sni-resumption

Martin Thomson <mt@lowentropy.net> Tue, 10 November 2020 22:37 UTC

Return-Path: <mt@lowentropy.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A230D3A1191 for <tls@ietfa.amsl.com>; Tue, 10 Nov 2020 14:37:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b=h9vMTkko; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=ZzOtFYR9
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EJidcas9IKNT for <tls@ietfa.amsl.com>; Tue, 10 Nov 2020 14:37:43 -0800 (PST)
Received: from wout5-smtp.messagingengine.com (wout5-smtp.messagingengine.com [64.147.123.21]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 56FE83A118F for <tls@ietf.org>; Tue, 10 Nov 2020 14:37:43 -0800 (PST)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.west.internal (Postfix) with ESMTP id 5955210F1; Tue, 10 Nov 2020 17:37:42 -0500 (EST)
Received: from imap10 ([10.202.2.60]) by compute1.internal (MEProxy); Tue, 10 Nov 2020 17:37:42 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=mime-version:message-id:in-reply-to:references:date:from:to :cc:subject:content-type; s=fm3; bh=zCvPujem5akHWJZ4Odw9DEOakq2P ja8Y1SZMaEmTNgg=; b=h9vMTkkoojajjTsFXisSSu86mYJez1UlooA9yo/ZPgil UntLWw/HwmujJ/m9aasVtXNaLvgm7Pdr4D3vJfLJtVdSlPDV/VeTCKMcQtD4yxB0 vnTBNULuHQgg8lAi81705k/oNEyq50UQYckTFGSKjtzaTSJuXJurQjPfZ8gBgR7j cbABDywVacGyPvpp309BfH9axVYAtXpgsJ7mCz/vVqZonKoG4ZUe8dYD0DZEOylW AIfXZm4tvAH+y3Di3eRVuoMlpipB9vjas0CMwCx0FdXGFjvZkpyF5UISXtYEcHKD TGKLes3Gq7gEohTwx5jwHEQr0XhSdtbWTyEz61cvUw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=zCvPuj em5akHWJZ4Odw9DEOakq2Pja8Y1SZMaEmTNgg=; b=ZzOtFYR9CMHsGZxbHjW1no s2P74jisa81tHve9z1Ame6QbOoi9kPbNislY/frbzhwqmyzy/5nS68SqGhLYsqRg 8nHtzXsKit7jab3D2W0IizrQWtB2cQS4mXzkySZ34nanr3uoBAWkMs+GH7CgqhZz 1unU2BtSg5MQeOxBC7Gh5y3WR+2bTeL6L9fbposqHR88/ZBJEx4CqZDmAbZCBH+B uYb8kyW9y8MKZJaCpHKn0dU/GyNZyW1lmiz/5BuzSmU6kAwOOCsxlAz3RloQ9LFr 1Xg4GzjadvbLVJMYGreZrnj01pXQPA7wled+NoYmI6bY1V8SrNNJP2BT6iFDcJZQ ==
X-ME-Sender: <xms:NRarX_ideZf7KmRKq3o0K_ABscv32sbWr5AYffFZHksXKBABJmmXFA> <xme:NRarX8AuS7v2XvRFAXiXFxpPL6KC6kj98n-4sguhOXOGBykKCnEO60Inmo5Qn5ARu guoYh5KlB_DmTLc2Uw>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedujedruddukedgtdduucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepofgfggfkjghffffhvffutgesthdtredtreertdenucfhrhhomhepfdforghr thhinhcuvfhhohhmshhonhdfuceomhhtsehlohifvghnthhrohhphidrnhgvtheqnecugg ftrfgrthhtvghrnhepjedvtddtjefhffeluefggfehteeiteeuudffveetheekgeegudef tdeuvdehfedunecuffhomhgrihhnpeifhhgrthifghdrohhrghenucevlhhushhtvghruf hiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehmtheslhhofigvnhhtrhhophih rdhnvght
X-ME-Proxy: <xmx:NRarX_G_Y9ttVgR_PO8nVptp7PlvaE4vpV6ghU22rpV23dKo4A7MMw> <xmx:NRarX8Sr-jzIjzuQE3jeyHnMejRASxd5o2uHxtchB5gb2syJek3aDA> <xmx:NRarX8z-ALqw0WQ2Z_zsB4ruCuXMf9iQ7o-Ta66jc2v_wD5YNqAsrQ> <xmx:NRarX5t5PkjdqUqcqLgtnmUKKFOH0KfFKkfL6oNsS2Uvglp5BUK5WA>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 8CB2E2020C; Tue, 10 Nov 2020 17:37:41 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.3.0-570-gba0a262-fm-20201106.001-gba0a2623
Mime-Version: 1.0
Message-Id: <e58a9eac-3ad7-42c2-b9de-f667c82df4d4@www.fastmail.com>
In-Reply-To: <CAAZdMacR7DCCA8uFxyGBhCXCK1BJpSRQB_OpKt1NUgM4myu=Wg@mail.gmail.com>
References: <CAOgPGoATi+jFy53x5W4T6ai=xjH4VufhWaoABT5g_w=_72N8HA@mail.gmail.com> <9c0beec7-1f07-4919-a488-b06a39354d0f@www.fastmail.com> <CAAZdMacR7DCCA8uFxyGBhCXCK1BJpSRQB_OpKt1NUgM4myu=Wg@mail.gmail.com>
Date: Wed, 11 Nov 2020 09:37:20 +1100
From: Martin Thomson <mt@lowentropy.net>
To: Victor Vasiliev <vasilvv@google.com>
Cc: "tls@ietf.org" <tls@ietf.org>
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Ru9Z4teCYw9Zpl2K7nMkMzwHHRg>
Subject: Re: [TLS] Call for adoption of draft-vvv-tls-cross-sni-resumption
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Nov 2020 22:37:45 -0000

On Wed, Nov 11, 2020, at 09:28, Victor Vasiliev wrote:
> > Thus, the draft needs to include privacy considerations, particularly regarding cross-origin tracking.  I am also of the opinion that it should use flags, but that would depend on changes to the flags draft.
> 
> I considered that.  This particular attack seems to be fairly 
> web-specific, and since the mitigation (network partition keys 
> <https://fetch.spec.whatwg.org/#network-partition-keys>) relies heavily 
> on Web concepts, I'm not sure a TLS draft would be a good place for 
> describing it (compared to, say, Fetch).

A one sentence reminder that using this capability allows for transfer of information between what might otherwise be isolated server identities is all I'm asking for.  I'm not asking for a full breakdown of storage isolation and fetch integration, just the hooks that would ensure that people know to think about this problem.  Browsers are probably amply covered in this regard, but the problem exists more generally.