Re: [TLS] About encrypting SNI
Tim Bray <tbray@textuality.com> Tue, 20 May 2014 20:24 UTC
Return-Path: <tbray@textuality.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E8AA1A0758 for <tls@ietfa.amsl.com>; Tue, 20 May 2014 13:24:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uVqN5daTI7VT for <tls@ietfa.amsl.com>; Tue, 20 May 2014 13:24:33 -0700 (PDT)
Received: from mail-ve0-f170.google.com (mail-ve0-f170.google.com [209.85.128.170]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 63E521A072D for <tls@ietf.org>; Tue, 20 May 2014 13:24:33 -0700 (PDT)
Received: by mail-ve0-f170.google.com with SMTP id db11so1315465veb.29 for <tls@ietf.org>; Tue, 20 May 2014 13:24:32 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=bDnPyYO9+w4RIi/M7RWAw2p84y+DISMMDIErOgUSTqM=; b=HzxX730A4R3/2x19E/pxXaUnwwleEawnvALjms3eDbMVPz/G0pMGmPbR8lPq+x/ncB 7nSmFpltihTBnB8RML8nEmdbn8V+BfLwE0qTuhDy6CXbLwQQDgBIBABn+dHs1SyPB6/s 9yIPfgilhPlNW85ZMJaNf3thrwrJs43yIsAP5P37OxNZ1iN5bpeFn3XcWSFR5zvdJPGm RoqR7HNXi0v99vGz6i3URxUP3exBd49VZmBPFN4pLofolzcL9NtyVBitECWMRWDtRvGo Vchk0N0KYoPWDmLIf9R466FruoKEI1R45J9SMKPN3sWdQDLEtpxXAnL5hEKT3MvT3OsD 4sow==
X-Gm-Message-State: ALoCoQkV6xrStpbJ/PjllraIlGveWlhQa4byeyiifL/Hl4QJ1n/eH/dd5MW9fpRrX8v8aMUm5MQi
X-Received: by 10.52.104.7 with SMTP id ga7mr4947206vdb.29.1400617472122; Tue, 20 May 2014 13:24:32 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.220.98.73 with HTTP; Tue, 20 May 2014 13:24:12 -0700 (PDT)
X-Originating-IP: [107.19.76.28]
In-Reply-To: <C81C96A7-0878-4C84-AB8C-CF0BF11841F2@gmail.com>
References: <0B76075A-D9F1-4780-8834-7FF0A1C82999@vigilsec.com> <20140425013239.7FE5E1ACE1@ld9781.wdf.sap.corp> <CAFggDF3u1R+540x6SM3Rt5u+GNQ44ZKozCoTSU1k+XMPU9V-tQ@mail.gmail.com> <C81C96A7-0878-4C84-AB8C-CF0BF11841F2@gmail.com>
From: Tim Bray <tbray@textuality.com>
Date: Tue, 20 May 2014 13:24:12 -0700
Message-ID: <CAHBU6itFLCdcZWzrDv02h=3-HF9+uF+ymqFf1cbDYOdvG17nzg@mail.gmail.com>
To: Yoav Nir <ynir.ietf@gmail.com>
Content-Type: multipart/alternative; boundary="001a1136be72e475da04f9daaa0e"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/SUoTk3l8NX2JLw5QpZnCJYrAFys
Cc: IETF TLS <tls@ietf.org>
Subject: Re: [TLS] About encrypting SNI
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 May 2014 20:24:35 -0000
On Tue, May 20, 2014 at 1:02 PM, Yoav Nir <ynir.ietf@gmail.com> wrote: > > The requirement for encrypted SNI is very simple. I want to browse certain > web sites such that if people knew I was browsing them it might get me in > trouble. We all like the example of a gay teenager in Uganda, but it could > just as well be an American browsing a website advocating Shari’a law for > all western countries landing in a no-flight list. > > Encrypting SNI would help if the “suspicious” web site is hosted by a > hosting service, and there are multiple innocuous sites on the same IP > address, and the traffic from the innocuous sites dominates the traffic to > the server, and traffic for this site is not distinguishable by other means > such as traffic analysis. That’s a lot of ‘if’s up there, and if any of > them fails, the adversary will know that I browsed the suspicious site. > AFAIK Tor provides a far more robust protection of this kind of activity. > Let’s assume you are correct in all your assertions. It is still the case that every time you increase the proportion of the attack surface which is encrypted, you increase the difficulty for snoopers. It is not a requirement that you make the snoopers’ task impossible; in fact, all you can ever do is crank up the difficulty for attackers. It seems obvious that encrypting as much of connection setup as possible would increase attacker difficulty so, if practical, it should be done. > > So I’m with Martin on this. If you need Tor, use Tor. > > Yoav > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > > -- - Tim Bray (If you’d like to send me a private message, see https://keybase.io/timbray)
- [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI Martin Thomson
- Re: [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI Watson Ladd
- Re: [TLS] About encrypting SNI Russ Housley
- Re: [TLS] About encrypting SNI Eric Rescorla
- Re: [TLS] About encrypting SNI Brian Sniffen
- Re: [TLS] About encrypting SNI Alyssa Rowan
- Re: [TLS] About encrypting SNI Nick Mathewson
- Re: [TLS] About encrypting SNI Daniel Kahn Gillmor
- Re: [TLS] About encrypting SNI Sniffen, Brian
- Re: [TLS] About encrypting SNI Yoav Nir
- Re: [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI Seth David Schoen
- Re: [TLS] About encrypting SNI Nico Williams
- Re: [TLS] About encrypting SNI Watson Ladd
- Re: [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI Yoav Nir
- Re: [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI Watson Ladd
- Re: [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI Eric Rescorla
- Re: [TLS] About encrypting SNI Alyssa Rowan
- Re: [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI Martin Rex
- Re: [TLS] About encrypting SNI Eric Rescorla
- Re: [TLS] About encrypting SNI Eric Rescorla
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Eric Rescorla
- Re: [TLS] About encrypting SNI Tom Ritter
- Re: [TLS] About encrypting SNI Brian Sniffen
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI Eric Rescorla
- Re: [TLS] About encrypting SNI Watson Ladd
- Re: [TLS] About encrypting SNI Brian Sniffen
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Sniffen, Brian
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Alyssa Rowan
- Re: [TLS] About encrypting SNI Michael D'Errico
- Re: [TLS] About encrypting SNI James Cloos
- Re: [TLS] About encrypting SNI Jacob Appelbaum
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Erik Nygren
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Jacob Appelbaum
- [TLS] Forged RST (was: About encrypting SNI) Alyssa Rowan
- Re: [TLS] Forged RST (was: About encrypting SNI) Eric Rescorla
- Re: [TLS] About encrypting SNI Paul Lambert
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Erik Nygren
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] Forged RST (was: About encrypting SNI) Yoav Nir
- Re: [TLS] About encrypting SNI Sniffen, Brian
- Re: [TLS] Forged RST (was: About encrypting SNI) Erik Nygren
- Re: [TLS] About encrypting SNI James Cloos
- Re: [TLS] Forged RST Stephen Farrell
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] Forged RST (was: About encrypting SNI) Nico Williams
- Re: [TLS] About encrypting SNI Erik Nygren
- Re: [TLS] About encrypting SNI Sniffen, Brian
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Martin Thomson
- Re: [TLS] About encrypting SNI Brian Sniffen
- Re: [TLS] About encrypting SNI Eric Rescorla
- Re: [TLS] About encrypting SNI Sniffen, Brian
- Re: [TLS] About encrypting SNI Erik Nygren
- Re: [TLS] Forged RST (was: About encrypting SNI) Bill Frantz
- Re: [TLS] Forged RST (was: About encrypting SNI) Yoav Nir
- Re: [TLS] Forged RST (was: About encrypting SNI) Bill Frantz
- Re: [TLS] Forged RST (was: About encrypting SNI) Eric Rescorla
- Re: [TLS] Forged RST (was: About encrypting SNI) Watson Ladd
- Re: [TLS] Forged RST (was: About encrypting SNI) Eric Rescorla
- Re: [TLS] About encrypting SNI Marsh Ray
- Re: [TLS] About encrypting SNI Martin Rex
- Re: [TLS] About encrypting SNI David Holmes
- Re: [TLS] About encrypting SNI Brian Sniffen
- Re: [TLS] About encrypting SNI Marsh Ray
- Re: [TLS] About encrypting SNI Marsh Ray
- Re: [TLS] About encrypting SNI Nico Williams
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI Michael D'Errico
- Re: [TLS] About encrypting SNI Watson Ladd
- Re: [TLS] About encrypting SNI Erik Nygren
- Re: [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI Daniel Kahn Gillmor
- Re: [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI - Traffic Analysis… Michael StJohns
- Re: [TLS] About encrypting SNI - Traffic Analysis… Nico Williams
- Re: [TLS] About encrypting SNI - Traffic Analysis… Stephen Farrell
- Re: [TLS] About encrypting SNI - Traffic Analysis… Martin Rex
- Re: [TLS] About encrypting SNI Nikos Mavrogiannopoulos
- Re: [TLS] About encrypting SNI Salz, Rich
- Re: [TLS] About encrypting SNI Stephen Farrell
- Re: [TLS] About encrypting SNI Andy Lutomirski
- Re: [TLS] About encrypting SNI - Traffic Analysis… Martin Thomson
- Re: [TLS] About encrypting SNI - Traffic Analysis… Tom Ritter
- Re: [TLS] About encrypting SNI Brian Sniffen
- Re: [TLS] About encrypting SNI Fabrice
- Re: [TLS] About encrypting SNI Jacob Appelbaum
- Re: [TLS] About encrypting SNI Paul Lambert
- Re: [TLS] About encrypting SNI Yoav Nir
- Re: [TLS] About encrypting SNI Daniel Kahn Gillmor
- Re: [TLS] About encrypting SNI Tim Bray
- Re: [TLS] About encrypting SNI Jacob Appelbaum
- Re: [TLS] About encrypting SNI Paul Hoffman
- Re: [TLS] About encrypting SNI Viktor Dukhovni
- Re: [TLS] About encrypting SNI Brian Sniffen
- Re: [TLS] About encrypting SNI Yoav Nir