Re: [TLS] Final nail in the coffin for cleartext SNI/ALPN in TLS 1.3
Ralf Skyper Kaiser <skyper@thc.org> Thu, 07 November 2013 19:36 UTC
Return-Path: <skyper@thc.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 24A0921E8181 for <tls@ietfa.amsl.com>; Thu, 7 Nov 2013 11:36:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.425
X-Spam-Level:
X-Spam-Status: No, score=-0.425 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RDNS_NONE=0.1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lgVGndZzYC8P for <tls@ietfa.amsl.com>; Thu, 7 Nov 2013 11:36:23 -0800 (PST)
Received: from mail-ie0-x233.google.com (mail-ie0-x233.google.com [IPv6:2607:f8b0:4001:c03::233]) by ietfa.amsl.com (Postfix) with ESMTP id 7683C21E814E for <tls@ietf.org>; Thu, 7 Nov 2013 11:36:18 -0800 (PST)
Received: by mail-ie0-f179.google.com with SMTP id aq17so1602351iec.38 for <tls@ietf.org>; Thu, 07 Nov 2013 11:36:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=thc.org; s=google; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=kW8MO6n2pvtfTOOe3f0OK5FS8UT0gmBkSC9NOt0L0w8=; b=K4cuOcBqM5MMO37bJqVO4LgdD0p+nYQKoyLYJ6ms3GgPqof7xTZynDLSJJD/aHI0uY t/nO2Qx+2wScuCGsWFhuD4PtxQXfcckB8jng6zl0jWx9v2aDDxmDN3jm2APjNbHAlLww AQf2aNEt/pEawSKZmN8zjlvtkUHLeZ9pabcsk=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:content-type; bh=kW8MO6n2pvtfTOOe3f0OK5FS8UT0gmBkSC9NOt0L0w8=; b=gWDUL21yfz5rxsvxGL4vmlwL4KPCG85A3sHtiGwSQYbuu2/atr/sLmm1fq9m1bUESq /XkY3EtPwARbahxzFLZgHUhawecT47q+kONn4Wn4DsvXHgPOHcIWwUhssjOYE3vSTg62 NNTuUwpPtEA426FamW/GPfrwzCv2eES3f+W0377EifuJs5k57wrxK3KMKiE2rfQgwJma +KkgnF3Gn0jMBPf1jW5aCrgmT29bQlFzCjnCcDSxqDDTbzPPrUyIu5y3FYxRFyS/KjBh bT4gZ1KzBYdEMAMX8AYA2GEbiTMRq3uo1ozss1rVJtEtOy4+knwSmRAZdIOUyJFfAPv+ Gk1A==
X-Gm-Message-State: ALoCoQkl9ZmTQOWrtN/OtaD4FGUPzINQMTncr/hIUnfYs8Ab9hu46lboLQohQVCBZtj+3RoSeJn7
MIME-Version: 1.0
X-Received: by 10.50.106.20 with SMTP id gq20mr3327367igb.36.1383852977175; Thu, 07 Nov 2013 11:36:17 -0800 (PST)
Received: by 10.64.231.100 with HTTP; Thu, 7 Nov 2013 11:36:17 -0800 (PST)
X-Originating-IP: [70.102.70.79]
In-Reply-To: <20131107185957.8B48C1AA69@ld9781.wdf.sap.corp>
References: <CA+BZK2qUE3oS6Sbp1HbKZ7Wgen9gEjjdepON1egLhGqCPpoVBw@mail.gmail.com> <20131107185957.8B48C1AA69@ld9781.wdf.sap.corp>
Date: Thu, 07 Nov 2013 19:36:17 +0000
Message-ID: <CA+BZK2qvGS-UewoqGzn7YF15tk6JCOvytie7F=ankjia-W+L7Q@mail.gmail.com>
From: Ralf Skyper Kaiser <skyper@thc.org>
To: mrex@sap.com, "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="047d7bea343420f27304ea9b6142"
Subject: Re: [TLS] Final nail in the coffin for cleartext SNI/ALPN in TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Nov 2013 19:36:30 -0000
Hi Martin, (see also my full email further below where I mention DNS and why the shortfall of current DNS should not stop us from fixing TLS - because otherwise the DNS guys say there is no need to fix DNS because SNI in TLS is cleartext as well...we have to start somewhere.......Please also see comment on how just having DNS leaking this information raises the cost for surveillance and in some cases makes it impractical if not impossible - that's the goal.) regards, ralf On Thu, Nov 7, 2013 at 6:59 PM, Martin Rex <mrex@sap.com> wrote: > Ralf Skyper Kaiser wrote: > > > > Some thoughts why SNI (host name) should be > > transmitted encrypted and not in clear. > > But you are aware that there is no such thing as a > "confidential DNS lookup" (confidential towards whom anyways), > so that in general, what your browser is connecting will be > directly preceded by a cleartext DNS lookup with that very name... > > (Not revealing the "next protocol" or client certs/identities > is a different issue.) > > -Martin >
- Re: [TLS] Final nail in the coffin for cleartext … Martin Rex
- Re: [TLS] Final nail in the coffin for cleartext … Martin Rex
- [TLS] Final nail in the coffin for cleartext SNI/… Ralf Skyper Kaiser
- Re: [TLS] Final nail in the coffin for cleartext … Watson Ladd
- Re: [TLS] Final nail in the coffin for cleartext … Ralf Skyper Kaiser
- Re: [TLS] Final nail in the coffin for cleartext … Yoav Nir
- Re: [TLS] Final nail in the coffin for cleartext … Salz, Rich
- Re: [TLS] Final nail in the coffin for cleartext … Ryan Hurst
- Re: [TLS] Final nail in the coffin for cleartext … Martin Rex
- Re: [TLS] Final nail in the coffin for cleartext … Daniel Kahn Gillmor
- Re: [TLS] Final nail in the coffin for cleartext … Ralf Skyper Kaiser
- Re: [TLS] Final nail in the coffin for cleartext … Yoav Nir
- Re: [TLS] Final nail in the coffin for cleartext … Yoav Nir
- Re: [TLS] Final nail in the coffin for cleartext … Seth David Schoen
- Re: [TLS] Final nail in the coffin for cleartext … Ralf Skyper Kaiser
- Re: [TLS] Final nail in the coffin for cleartext … Watson Ladd
- Re: [TLS] Final nail in the coffin for cleartext … Salz, Rich
- Re: [TLS] Final nail in the coffin for cleartext … Yoav Nir
- Re: [TLS] Final nail in the coffin for cleartext … Martin Rex
- Re: [TLS] Final nail in the coffin for cleartext … Ralf Skyper Kaiser
- Re: [TLS] Final nail in the coffin for cleartext … Michael D'Errico
- Re: [TLS] Final nail in the coffin for cleartext … Jacob Appelbaum
- Re: [TLS] Final nail in the coffin for cleartext … Ralf Skyper Kaiser
- Re: [TLS] Final nail in the coffin for cleartext … Michael D'Errico
- Re: [TLS] Final nail in the coffin for cleartext … Ralf Skyper Kaiser
- Re: [TLS] Final nail in the coffin for cleartext … Martin Rex
- Re: [TLS] Final nail in the coffin for cleartext … Sean Leonard
- Re: [TLS] Final nail in the coffin for cleartext … Ralf Skyper Kaiser
- Re: [TLS] Final nail in the coffin for cleartext … Juho Vähä-Herttua
- Re: [TLS] Final nail in the coffin for cleartext … Yoav Nir
- Re: [TLS] Final nail in the coffin for cleartext … Ralf Skyper Kaiser
- Re: [TLS] Final nail in the coffin for cleartext … Phillip Hallam-Baker
- Re: [TLS] Final nail in the coffin for cleartext … Daniel Kahn Gillmor
- Re: [TLS] Final nail in the coffin for cleartext … Ralf Skyper Kaiser
- Re: [TLS] Final nail in the coffin for cleartext … Martin Rex
- Re: [TLS] Final nail in the coffin for cleartext … Daniel Kahn Gillmor
- Re: [TLS] Final nail in the coffin for cleartext … Juho Vähä-Herttua
- Re: [TLS] Final nail in the coffin for cleartext … Ralf Skyper Kaiser
- Re: [TLS] Final nail in the coffin for cleartext … Yoav Nir
- Re: [TLS] Final nail in the coffin for cleartext … Martin Rex
- Re: [TLS] Final nail in the coffin for cleartext … Martin Rex
- Re: [TLS] Final nail in the coffin for cleartext … Ralf Skyper Kaiser
- Re: [TLS] Final nail in the coffin for cleartext … Bodo Moeller
- Re: [TLS] Final nail in the coffin for cleartext … Marsh Ray
- Re: [TLS] Final nail in the coffin for cleartext … Ralf Skyper Kaiser
- Re: [TLS] Final nail in the coffin for cleartext … Geoffrey Keating