Re: [TLS] Final nail in the coffin for cleartext SNI/ALPN in TLS 1.3

[Ralf Skyper Kaiser <skyper@thc.org>]

Hi


On Fri, Nov 8, 2013 at 5:02 AM, Martin Rex <mrex@sap.com> wrote:

> >
> > Fixing TLS is in-scope, though, and TLS shouldn't leak information just
> > because other related protocols also leak information.
>
> Don't fix it if it ain't broken.
> SNI was specifically DESIGNED to convey the server name in the clear.
>
> Security only works in a meaningful fashion if you can ensure "hygiene",
> otherwise it will be expensive obscurity and result in casualties.
>

SNI was NOT DESIGNED to be convey the server name in clear. SNI was
designed so that the server can pick the right certificate.

SNI can be transmitted encrypted and should be transmitted encrypted (see
recent plenary sessions at IETF88).


> Putting SNI info in an encrypted handshake would make that information
> > unavailable to passive attackers.
>
> This is a dangerious illusion.  As long as SNI will travel in the clear in
> protocol versions up to TLSv1.2, it *WILL* leak.  Maybe not from your
> client, but someone elses older client going to the same service.
>

Martin, with your argument why should we fix anything at all in any product
or design?

The proposed solution FIXES passive pervasive surveillance in TLS 1.3.

Your proposal fixes nothing, keeps an identified and acknowledged security
flaw in TLS 1.3 and enables passive pervasive surveillance.

Let's make pervasive passive surveillance harder.

Your other concerns that there other ways how an attacker can get the host
name are noted and are out-of-scope for the TLS-WG (yes, the NSA can even
get a FISA order...but we wont fix that one either....and enabling IPSEC
does not scale (yet)).


regards,

ralf