Re: [TLS] Encrypting record headers: practical for TLS 1.3 after all?
Aaron Zauner <azet@azet.org> Thu, 03 December 2015 13:15 UTC
Return-Path: <azet@azet.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 35F9D1A702A for <tls@ietfa.amsl.com>; Thu, 3 Dec 2015 05:15:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lh3c9EnG0jZv for <tls@ietfa.amsl.com>; Thu, 3 Dec 2015 05:15:20 -0800 (PST)
Received: from mail-lf0-x235.google.com (mail-lf0-x235.google.com [IPv6:2a00:1450:4010:c07::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0379C1A7023 for <tls@ietf.org>; Thu, 3 Dec 2015 05:15:20 -0800 (PST)
Received: by lfaz4 with SMTP id z4so90220372lfa.0 for <tls@ietf.org>; Thu, 03 Dec 2015 05:15:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=azet.org; s=gmail; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type; bh=XtZ0P4XRzTlL5auVhJk4A1HwYwQiXk6H1YIdbHY8pLg=; b=ZzF5VJN2JF18JO2ctaVqWMDgox5i3VAQIB4jr1Xk3sbSS9vGb6N0jvKF4BPG2IKIjW MansaZiEt29cmrvEuf7UzumZiUIi+RyD6HZstWL6s6P/V/HNQAjuSsm4jV+Y2PweExeI SFJyiENGVpGSl5xb7g349Sxx6gGoeiA5/DPII=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-type; bh=XtZ0P4XRzTlL5auVhJk4A1HwYwQiXk6H1YIdbHY8pLg=; b=DZV/v6VluHKgn/m7QL/zqlZc/M9uK7CzROJaqH7/EpPlULrj3c8OEkmSrDYZaRS2Yt 5I3+2u2L+B6r06x8BN4eF8G69bh91LR09f7wgFyNbVe/5xgwZr1Dsaf3c0+8aQkKLSm2 lf8hri4VIuzCUOEgfXYIrh1m0DHNIsE7w7fRdJEtHelYR+NXduhpMxOyxALWmJVElFPJ +8EtjhrPPAbZ5a1oZXgj/mZYvPWnIgtUASXXbbVwVWwHE0hlLjw+suz0tgFDqWLNreXS /IrBoUi7Osq6D3RdsVoXigpaP0Hvk209bTJwrecs4XhyhN6bWfaYMRJBMxmZbvRop3TE XJJg==
X-Gm-Message-State: ALoCoQmUD3inYBhV3TdaRKiYU6zPdlXtYJjfbXic7t2ZJ+ll4Bye6YZCIcr2yQdbC47mW+jlncIf
X-Received: by 10.25.145.81 with SMTP id t78mr5754726lfd.86.1449148518073; Thu, 03 Dec 2015 05:15:18 -0800 (PST)
Received: from [192.168.1.103] ([41.232.113.177]) by smtp.gmail.com with ESMTPSA id qp7sm1378793lbc.24.2015.12.03.05.15.14 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 03 Dec 2015 05:15:16 -0800 (PST)
Message-ID: <5660405E.3060008@azet.org>
Date: Thu, 03 Dec 2015 14:15:10 +0100
From: Aaron Zauner <azet@azet.org>
User-Agent: Postbox 3.0.11 (Macintosh/20140602)
MIME-Version: 1.0
To: Jacob Appelbaum <jacob@appelbaum.net>
References: <CAFggDF3HP5u0YP0UP_HrrZnrTnzc-CD1EG0grZBcb5sB7A2fAA@mail.gmail.com> <20151202160837.6016A1A39B@ld9781.wdf.sap.corp> <CAFggDF0D3Rgav-4xg-11u0igMyMXvAWT+JNt2r1xyQnpvm08Qw@mail.gmail.com> <0ba184c45d44474e961a2aaac82fec0e@usma1ex-dag1mb1.msg.corp.akamai.com> <CAFggDF119jxPSXUAe2E4y_TQds4P3K1eTGM3sZHSa=NoeMOV-A@mail.gmail.com> <1b5cf52ca90e45bd82f5247ca675dead@usma1ex-dag1mb1.msg.corp.akamai.com> <CAFggDF24hhrXS95kONb_N6XHrO+11wFsAkHOpYZ_uu5RvyV+Kg@mail.gmail.com> <CANBOYLXJX_gjuC8Rp0Z9YqzNYsbr0x1WeL4AeRUxFtMaM+U5wQ@mail.gmail.com> <CAFggDF2fbpFkURZtjuKc5NWGRdYra+A9gPD6881nk-Crs2ijXA@mail.gmail.com>
In-Reply-To: <CAFggDF2fbpFkURZtjuKc5NWGRdYra+A9gPD6881nk-Crs2ijXA@mail.gmail.com>
X-Enigmail-Version: 1.2.3
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="------------enig586AE4E4C5EEA8093952812D"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/TtY27VyaYFmN7faai0pw5l6_Cts>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Encrypting record headers: practical for TLS 1.3 after all?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Dec 2015 13:15:25 -0000
Hi *, Jacob Appelbaum wrote: > I'm sorry but that analysis is just not a serious and rigorous analysis. No it's not. It's a very short presentation from a TLS-WG interim meeting. The threat-model concerns Akamai's (and other's) current and - possibly - future use of TLS. We're not trying to build an Onion routing protocol. Given the FUD on the Tor dev list, this is a good thing. While the presentation might have flaws from the perspective of an Onion routing protocol developer, it reflects the point of view of a lot of people/companies on this list, I assume. > >> It's not just a collective action problem because DNS isn't encrypted too. > > The conclusion summary is that because there are many problems, we > won't address our part of the problems. The conclusion is that SNI > privacy isn't worth it because those who live in liberal democracies > with poor traffic analysis, well they just don't matter much. Which > is... just... well, as I said above, I just don't take this seriously. See above, different point of views on the same problem. I agree here and think we should continue to find a proper solution for encrypted-SNI for TLS 1.3 - if at all possible. What we currently have on our hands is not very convincing to me. > >> Their analysis also looks at what you get when both are encrypted. And >> regardless of DNS being encrypted, rainbow-table style reverse lookups of >> IP to DNS name are always possible. That doesn't mean encrypted SNI isn't >> worth it -- it clearly provides a security attribute (confidentiality) to >> an important piece of information. > > You're now suggesting an attacker that computes rainbow-tables to > arrive a possibility which in itself sounds like a massive improvement > over what was an absolute certainty. +1. > >> I'm not advocating a strong stance on whether encrypted SNI is worth >> pursuing, or whether TLS record headers should be encrypted in TLS 1.3. But >> it's useful to keep the debate framed in its full context, rather than >> narrowing it to a black-and-white discussion over whether a generally good >> attribute is good or not. > > Sure and that full context includes RFC 7258: "Pervasive Monitoring Is > an Attack" - something that defines reasonably clearly many of the > concerns I've stated. > While kind of a political/policy document I agree that IETF WG's should follow (and participants read) it. I remember the STRINT meeting in 2014 where a lot of people were very pissed about NSA activity and we decided we want to do something about it. If it takes a standard a few months longer to be finished, please give it the proper amount of time for enough people to put their ideas into it. Most people do not come up with solid engineering solutions over night. And crypto is hard as we all know. We should not forget that TLS has a very different threat-model and performance assumptions than Tor though. Thanks, Aaron
- [TLS] Encrypting record headers: practical for TL… Bryan A Ford
- Re: [TLS] Encrypting record headers: practical fo… Henrick Hellström
- Re: [TLS] Encrypting record headers: practical fo… Peter Gutmann
- Re: [TLS] Encrypting record headers: practical fo… Henrick Hellström
- Re: [TLS] Encrypting record headers: practical fo… Roland Zink
- Re: [TLS] Encrypting record headers: practical fo… Henrick Hellström
- Re: [TLS] Encrypting record headers: practical fo… Henrick Hellström
- Re: [TLS] Encrypting record headers: practical fo… Roland Zink
- Re: [TLS] Encrypting record headers: practical fo… Tony Arcieri
- Re: [TLS] Encrypting record headers: practical fo… Watson Ladd
- Re: [TLS] Encrypting record headers: practical fo… Henrick Hellström
- Re: [TLS] Encrypting record headers: practical fo… Bryan A Ford
- Re: [TLS] Encrypting record headers: practical fo… Bryan A Ford
- Re: [TLS] Encrypting record headers: practical fo… Henrick Hellström
- Re: [TLS] Encrypting record headers: practical fo… Bryan A Ford
- Re: [TLS] Encrypting record headers: practical fo… Bill Cox
- Re: [TLS] Encrypting record headers: practical fo… Nikos Mavrogiannopoulos
- Re: [TLS] Encrypting record headers: practical fo… Dave Garrett
- Re: [TLS] Encrypting record headers: practical fo… Peter Gutmann
- Re: [TLS] Encrypting record headers: practical fo… Peter Gutmann
- Re: [TLS] Encrypting record headers: practical fo… Short, Todd
- Re: [TLS] Encrypting record headers: practical fo… Bryan A Ford
- Re: [TLS] Encrypting record headers: practical fo… Bryan A Ford
- Re: [TLS] Encrypting record headers: practical fo… Bryan A Ford
- Re: [TLS] Encrypting record headers: practical fo… Bryan A Ford
- Re: [TLS] Encrypting record headers: practical fo… Peter Gutmann
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Encrypting record headers: practical fo… Hubert Kario
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Encrypting record headers: practical fo… Viktor Dukhovni
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Encrypting record headers: practical fo… Fabrice Gautier
- Re: [TLS] Encrypting record headers: practical fo… Jim Schaad
- Re: [TLS] Encrypting record headers: practical fo… Yoav Nir
- Re: [TLS] Encrypting record headers: practical fo… Hubert Kario
- Re: [TLS] Encrypting record headers: practical fo… Aaron Zauner
- Re: [TLS] Encrypting record headers: practical fo… Yoav Nir
- Re: [TLS] Encrypting record headers: practical fo… John Mattsson
- Re: [TLS] Encrypting record headers: practical fo… Bryan A Ford
- Re: [TLS] Encrypting record headers: practical fo… Bryan A Ford
- [TLS] Fully encrypted and authenticated headers (… Bryan A Ford
- Re: [TLS] Fully encrypted and authenticated heade… Dmitry Belyavsky
- Re: [TLS] Fully encrypted and authenticated heade… Bryan A Ford
- Re: [TLS] Encrypting record headers: practical fo… Fabrice Gautier
- Re: [TLS] Encrypting record headers: practical fo… Peter Gutmann
- Re: [TLS] Fully encrypted and authenticated heade… Martin Thomson
- Re: [TLS] Fully encrypted and authenticated heade… Viktor Dukhovni
- Re: [TLS] Encrypting record headers: practical fo… Yoav Nir
- Re: [TLS] Encrypting record headers: practical fo… Yoav Nir
- Re: [TLS] Fully encrypted and authenticated heade… Dmitry Belyavsky
- Re: [TLS] Fully encrypted and authenticated heade… Bryan Ford
- Re: [TLS] Fully encrypted and authenticated heade… Bryan Ford
- Re: [TLS] Encrypting record headers: practical fo… Bryan Ford
- Re: [TLS] Encrypting record headers: practical fo… Bryan Ford
- Re: [TLS] Encrypting record headers: practical fo… GUBALLA, JENS (JENS)
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Encrypting record headers: practical fo… Yoav Nir
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Encrypting record headers: practical fo… Hubert Kario
- Re: [TLS] Encrypting record headers: practical fo… Yoav Nir
- Re: [TLS] Encrypting record headers: practical fo… Eric Rescorla
- Re: [TLS] Fully encrypted and authenticated heade… Eric Rescorla
- Re: [TLS] Encrypting record headers: practical fo… Mike Copley
- Re: [TLS] Fully encrypted and authenticated heade… Jacob Appelbaum
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Fully encrypted and authenticated heade… Watson Ladd
- Re: [TLS] Encrypting record headers: practical fo… Salz, Rich
- Re: [TLS] Encrypting record headers: practical fo… Martin Rex
- Re: [TLS] Encrypting record headers: practical fo… Stephen Farrell
- Re: [TLS] Fully encrypted and authenticated heade… Eric Rescorla
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Encrypting record headers: practical fo… Salz, Rich
- Re: [TLS] Encrypting record headers: practical fo… Eric Rescorla
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Encrypting record headers: practical fo… Salz, Rich
- Re: [TLS] Encrypting record headers: practical fo… Martin Rex
- Re: [TLS] Encrypting record headers: practical fo… Ilari Liusvaara
- Re: [TLS] Encrypting record headers: practical fo… Fabrice Gautier
- Re: [TLS] Encrypting record headers: practical fo… Dave Garrett
- Re: [TLS] Encrypting record headers: practical fo… Peter Gutmann
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Encrypting record headers: practical fo… Salz, Rich
- Re: [TLS] Encrypting record headers: practical fo… Eric Mill
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Encrypting record headers: practical fo… Martin Thomson
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Encrypting record headers: practical fo… Viktor Dukhovni
- Re: [TLS] Fully encrypted and authenticated heade… Bryan A Ford
- Re: [TLS] Encrypting record headers: practical fo… Bryan A Ford
- Re: [TLS] Encrypting record headers: practical fo… Bryan A Ford
- Re: [TLS] Encrypting record headers: practical fo… Bryan A Ford
- Re: [TLS] Fully encrypted and authenticated heade… Jacob Appelbaum
- Re: [TLS] Encrypting record headers: practical fo… Aaron Zauner
- Re: [TLS] Encrypting record headers: practical fo… Salz, Rich
- Re: [TLS] Encrypting record headers: practical fo… Aaron Zauner
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Fully encrypted and authenticated heade… Watson Ladd
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Fully encrypted and authenticated heade… Jacob Appelbaum
- Re: [TLS] Encrypting record headers: practical fo… Aaron Zauner
- Re: [TLS] Encrypting record headers: practical fo… Aaron Zauner
- Re: [TLS] Encrypting record headers: practical fo… Martin Rex
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Encrypting record headers: practical fo… Peter Gutmann
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Fully encrypted and authenticated heade… Valery Smyslov
- Re: [TLS] Fully encrypted and authenticated heade… Bryan Ford
- Re: [TLS] Encrypting record headers: practical fo… GUBALLA, JENS (JENS)
- Re: [TLS] Fully encrypted and authenticated heade… Valery Smyslov
- Re: [TLS] Fully encrypted and authenticated heade… Jacob Appelbaum
- Re: [TLS] Fully encrypted and authenticated heade… Jeff Burdges
- Re: [TLS] Encrypting record headers: practical fo… Peter Gutmann
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum