IETF Logo Mail Archive

Re: [TLS] Encrypted hellos (was Re: "Encrypted" SNI)

Dave Garrett <davemgarrett@gmail.com> Wed, 17 May 2017 01:54 UTC

Return-Path: <davemgarrett@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C9328126CE8 for <tls@ietfa.amsl.com>; Tue, 16 May 2017 18:54:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6e78ADi3j59l for <tls@ietfa.amsl.com>; Tue, 16 May 2017 18:54:38 -0700 (PDT)
Received: from mail-qt0-x22c.google.com (mail-qt0-x22c.google.com [IPv6:2607:f8b0:400d:c0d::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A5E6D12ECAE for <tls@ietf.org>; Tue, 16 May 2017 18:50:45 -0700 (PDT)
Received: by mail-qt0-x22c.google.com with SMTP id t26so135502112qtg.0 for <tls@ietf.org>; Tue, 16 May 2017 18:50:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:subject:date:user-agent:cc:references:in-reply-to :mime-version:content-transfer-encoding:message-id; bh=CtgU3kmWLe+TFNfKrSdZrGEnD3il6GjeE1qZlRHIQMY=; b=MgF+ykllx+Kky2xRcRPzT1fB905LAshNrCGcs8jskUOSC4f8UyhBxE8RSSAm8Gpahy CyFgrXMOU9PWVtWERuuZ0+Su8XNKQgxVmTqZOCM4Jk5QxQUIMn1ZM9nyjP9SLAn0p5ZY RFmMJqKGlj24jFt2xWkXAiEkRx3reT032/a9/TtXo+O/Y8tFw4MZHliqoYxoqBtc2FMC Qw+FsYNd+0drDMWsoNtK3cKR98JyOqY4SVSQDYfvPUtUyAzcfIiDft24rJdJUhP+x3j8 1IzAxGJGaK9lnMuMHcgIfOcqFS0NKK4rICXR0bz6Xi1VcHYcKg0Z7euncaCRlqdPeDOG 1dpQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:user-agent:cc:references :in-reply-to:mime-version:content-transfer-encoding:message-id; bh=CtgU3kmWLe+TFNfKrSdZrGEnD3il6GjeE1qZlRHIQMY=; b=OU8EMVW4ZZhzwZC2/l9vFgyuc66Nbi+ifd0blDK5Wth/YCLO8cI8kBB/++ap9sEpBO M94IGo9moJGBNByV9ciC9GwUA6ZN7oRjQqwQ4plhRkB9I83xuePACG4qZdvzqZ/tN616 TPRPWM4gaEUVIcpAfDGPwPxmNL1MJ+RyzV4FMkKGoR6yhWja2CC6QmxeqldZWvA3425z /UxsIDeZAqOoqQTEd/zDciDmleEL2JFRXotMPCS+ffL7rLrmZTPpP4HJVbcPCI3iq7JW wc7Zg9aymNKchSdAnDtWm8xXhQEb1a5Ppe8rfuLYisFprsjautC49Fwh1tWmB07ER3cQ JIDA==
X-Gm-Message-State: AODbwcCe1JXdnlrxE3X3ZcxauifioTAVenbgSCaOu6ZZZkyRcmmfX+9s NcC644c/MSNiyA==
X-Received: by 10.237.36.42 with SMTP id r39mr818156qtc.159.1494985844782; Tue, 16 May 2017 18:50:44 -0700 (PDT)
Received: from dave-laptop.localnet (pool-71-185-36-197.phlapa.fios.verizon.net. [71.185.36.197]) by smtp.gmail.com with ESMTPSA id g129sm430708qke.9.2017.05.16.18.50.43 (version=TLS1 cipher=AES128-SHA bits=128/128); Tue, 16 May 2017 18:50:44 -0700 (PDT)
From: Dave Garrett <davemgarrett@gmail.com>
To: Hubert Kario <hkario@redhat.com>
Date: Tue, 16 May 2017 21:50:41 -0400
User-Agent: KMail/1.13.5 (Linux/2.6.32-74-generic-pae; KDE/4.4.5; i686; ; )
Cc: Christian Huitema <huitema@huitema.net>, tls@ietf.org, Daniel Kahn Gillmor <dkg@fifthhorseman.net>, Ilari Liusvaara <ilariliusvaara@welho.com>
References: <3768598.32hupQ9b2b@pintsize.usersys.redhat.com> <201705151610.01070.davemgarrett@gmail.com> <2347596.YMnKhrj8b1@pintsize.usersys.redhat.com>
In-Reply-To: <2347596.YMnKhrj8b1@pintsize.usersys.redhat.com>
MIME-Version: 1.0
Content-Type: Text/Plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Message-Id: <201705162150.42470.davemgarrett@gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/WEk-EHLOwX78XTZtEjUYcPeKHWI>
Subject: Re: [TLS] Encrypted hellos (was Re: "Encrypted" SNI)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 May 2017 01:54:40 -0000

On Tuesday, May 16, 2017 07:35:16 am Hubert Kario wrote:
> On Monday, 15 May 2017 22:10:00 CEST Dave Garrett wrote:
> > On Monday, May 15, 2017 07:56:44 am Hubert Kario wrote:
> > > I respectfully disagree. That system requires tight coupling between the
> > > TLS implementation and DNS. This is not something that facilitates TLS
> > > deployment. We want more TLS/HTTPS deployment, not less.
> > 
> > I completely understand why you'd disagree on these grounds. My argument is
> > that whilst this does require a significant amount of coordination, it's a
> > more productive route than just focusing on SNI encryption, which still has
> > its own share of problems. (hence us not agreeing on a way to do it yet)
> 
> Is there anything else sensitive in the Client Hello?

Yes. (lower priority info, but nonzero) I'm of the philosophy that implementations
should be open to arbitrary audit, but their messages should not give any
info away that it doesn't have to. Frankly, figuring out how it can be misused
is secondary; I assume it can.

A hypothetical scenario: Lets say I've got a client using a device, and moving
between multiple networks (e.g. joins various WiFi over time). Lets say the
attacker is passive and cannot reliably know what the IP of our client is at
all times. The user will most likely consistently use the same client software.
Various different implementations will make various different choices with
the many switches and options in TLS; fingerprinting implementations based
on their ClientHellos is not that hard. If the user has changed anything
from default that affects TLS via hellos, fingerprinting becomes much easier.
This means that an attacker can one, guess what software the target user
is using and make it easier to attack (and possibly decide to use active
attacks at some point), and two, attempt to track a user with a changing IP
across connections. Lets say our user goes through various WiFi networks
and our attacker can listen in on all of them (not necessarily a tall ask), or
we only care about a specific (set of) server(s) and can listen to their traffic.
If the attacker can link the user to one IP, and see its ClientHello, then
it can guess a window where the client switches from one IP to another,
look for ClientHellos, and then narrow down the possibilities of who the
target is in that list based on the prior fingerprint. If unique enough, or
combined with other information to narrow it down further, the client can
be identified across networks. There's of course other reasons clients can
switch between IPs; Tor users can come out of different exit nodes over time.
The point here is that not being able to fingerprint the ClientHello would
make it much harder to track targets across IP changes.

Additionally, whether or not a client is resuming a session is revealed in
the ClientHello. This information can also be used to identify clients, and is
itself potentially private information that the user may not wish to be
disclosed.

I'm sure we could come up with some other bits of information that get
leaked that could be used in some creative way in the future. I also assume
that some implementation will at some point put something incredibly stupid
in its ClientHello that needs extra protection. I'd prefer we just attempt to
always encrypt it all and call it a day. ;)

> Either way, to properly 
> encrypt SNI with forward secrecy requires the same system that would be 
> necessary to encrypt the whole Client Hello.

I get the impression that some people consider "proper" encryption of SNI
to be something less important than getting it encrypted in any way. (e.g.
a trial hashing idea was brought up) I'm not opposed to attempting to get
a minimum viable SNI encryption scheme out there, but I think those efforts
are better aimed higher. (and doing just SNI makes us less likely to consider
full hello encryption in the future)

> > The most practical short-term route would likely be to continue to hold our
> > noses and expect cleartext SNI, but maybe provide a very simple way for
> > servers to put a flag in a DNS record to opt-out entirely when they can do
> > without.
> 
> The point of encrypting SNI is so that you can hide a website on a shared 
> hosting host. If you have just one website on a host, there's nothing to 
> hide... Opting out by servers also makes the interesting targets more visible 
> (see also: email encryption).

Point taken, but you can change your IP more often than your domain. Not using
SNI at least increases the amount of effort required to figure out the destination.


Dave

v2.23.0 | Report a Bug | By Email