IETF Logo Mail Archive

Re: [TLS] About encrypting SNI - Traffic Analysis Attacks?

Michael StJohns <msj@nthpermutation.com> Tue, 13 May 2014 19:58 UTC

Return-Path: <msj@nthpermutation.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 861B81A01F0 for <tls@ietfa.amsl.com>; Tue, 13 May 2014 12:58:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AGA6wtrKXk4B for <tls@ietfa.amsl.com>; Tue, 13 May 2014 12:58:00 -0700 (PDT)
Received: from mail-qc0-f175.google.com (mail-qc0-f175.google.com [209.85.216.175]) by ietfa.amsl.com (Postfix) with ESMTP id 0BBFC1A01ED for <tls@ietf.org>; Tue, 13 May 2014 12:57:59 -0700 (PDT)
Received: by mail-qc0-f175.google.com with SMTP id w7so1159270qcr.20 for <tls@ietf.org>; Tue, 13 May 2014 12:57:53 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=VsjReWZva+npSH+pzHnWUFLeTk+DoJDeZdRrDBCN6FQ=; b=MgkfIO1O91vXI1/kTPgaVGrAGVQbRnndrbuTWCTt5XQgRImHXhTnSebLxPq3t5x4pu b5SoWOwsuXDZJVZbcF50cai72bXlMuw+au9zfnB4L6CBBLX/2DCvtlSs1u+y8KBJbsLZ EO51ryKmLlEmzUz0/rrLFzkPq3tr/EJSAjEE1FvbtdBaLj1nJAuKqGhFrnaIDF4l3TkH lAwgpcRzrKGDldsGQTdeWUSXC2URY06thG/VpPVU7I2b0kETQG3cTipyQca2jFDbPljb o0e842tahf4Ipc5cGn5qziEbHdC3MqYRVkR8/gAwfQBgE8wP6kwbJRr7LwE51wn+lhcY jIQw==
X-Gm-Message-State: ALoCoQl7/zSyKihawRGxIV7WTDbQN0b/0hzbMYIcQi4c8lCQjTSu2P4ptGfjrmU7uMBuvNzG6LbW
X-Received: by 10.140.34.228 with SMTP id l91mr49451103qgl.85.1400011073377; Tue, 13 May 2014 12:57:53 -0700 (PDT)
Received: from [192.168.1.105] (c-68-34-113-195.hsd1.md.comcast.net. [68.34.113.195]) by mx.google.com with ESMTPSA id i3sm12572892qgf.14.2014.05.13.12.57.51 for <tls@ietf.org> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 13 May 2014 12:57:51 -0700 (PDT)
Message-ID: <53727940.2070900@nthpermutation.com>
Date: Tue, 13 May 2014 15:57:52 -0400
From: Michael StJohns <msj@nthpermutation.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.5.0
MIME-Version: 1.0
To: tls@ietf.org
References: <2A0EFB9C05D0164E98F19BB0AF3708C7120A04ED40@USMBX1.msg.corp.akamai.com> <534C3D5A.3020406@fifthhorseman.net> <474FAE5F-DE7D-4140-931E-409325168487@akamai.com> <D2CB0B72-A548-414C-A926-A9AA45B962DA@gmail.com> <2A0EFB9C05D0164E98F19BB0AF3708C7120B490162@USMBX1.msg.corp.akamai.com> <CACsn0cmusUc3Rsb2Wof+dn0PEg3P0bPC3ZdJ75b9kkZ5LDGu_A@mail.gmail.com> <534DB18A.4060408@mit.edu> <CABcZeBOJ7k8Hb9QqCAxJ_uev9g_cb4j361dp7ANvnhOOKsT7NA@mail.gmail.com> <CA+cU71kFo6EihTVUrRRtBYEHbZwCa9nZo-awt4Sub2qXcKHC7g@mail.gmail.com> <CAK3OfOi1x9huaazwcO=d72mfOFuV_RyXnfHmFRduhhbJE2miYw@mail.gmail.com> <CALCETrWukS2QJSb01n7OpXD2iaK43OhZr4E8YZyJ6JaorCdBKw@mail.gmail.com> <CAKC-DJjgFrAmxkC-MsmL+-uRWpN_mDPGkV_g-6DhbVH+69EQEQ@mail.gmail.com> <2A0EFB9C05D0164E98F19BB0AF3708C7130ABEA050@USMBX1.msg.corp.akamai.com> <53725C34.8060105@fifthhorseman.net>
In-Reply-To: <53725C34.8060105@fifthhorseman.net>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/W-CXV9uqwjWc-lt2nS5J_tCvNck
Subject: Re: [TLS] About encrypting SNI - Traffic Analysis Attacks?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 May 2014 19:58:01 -0000

On 5/13/2014 1:53 PM, Daniel Kahn Gillmor wrote:
> y If we don't offer a standard mechanism for protecting the 
> confidentiality of SNI (at least against passive monitors) in upcoming 
> versions of TLS, then the dns-privacy discussion is going to have 
> serious trouble sustaining its work by an analgous "little value 
> unless..." argument. We shouldn't sabotage that work. The TLS WG needs 
> to fix the SNI leak, and DNS confidentiality needs to be addressed by 
> the DNS folks if we want to protect this information against passive 
> eavesdropping. --dkg

One of the things missing from this discussion is whether or not 
encrypting the SNI is sufficiently resistant to traffic analysis 
techniques to make it worthwhile:  E.g.  A trivial attack is where there 
are a 100 web sites at a particular IP address, but only one of them has 
a name that is 28 characters in length and that's the one eavesdroppers 
care about.  A non trivial attack is where the web sites can be 
characterized via their patterns of traffic (a web page with 28 items, 
of which 16 are pictures with known fixed lengths).

Random padding can mitigate some of this (but will require some changes 
to TLS) and random reordering of HTTP requests can also help a bit 
(mostly a client side change), but transaction based protocols like HTTP 
(e.g. most of the time I'm pretty sure that the client is sending some 
sort of GET even if I don't know exactly what its asking for) tend to 
reveal the underlying patterns, even if the actual data is protected.

Mike

v2.23.0 | Report a Bug | By Email