Re: [TLS] Dropping "do not stick out" from ECHO

Eric Rescorla <ekr@rtfm.com> Sun, 22 March 2020 22:16 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 721C13A08E0 for <tls@ietfa.amsl.com>; Sun, 22 Mar 2020 15:16:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gk3hQ-Ni_6s8 for <tls@ietfa.amsl.com>; Sun, 22 Mar 2020 15:16:42 -0700 (PDT)
Received: from mail-lj1-x233.google.com (mail-lj1-x233.google.com [IPv6:2a00:1450:4864:20::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 480733A08DD for <tls@ietf.org>; Sun, 22 Mar 2020 15:16:42 -0700 (PDT)
Received: by mail-lj1-x233.google.com with SMTP id g12so12472465ljj.3 for <tls@ietf.org>; Sun, 22 Mar 2020 15:16:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=pSC0dcc71bjpwF9OhQe4pS4OEQeKNWAaXphapvJEJvo=; b=ow0s3O5a0KqeiRkoVHhBpfZLOyPRMmDK2BSl13tjGSkgyZsGGr1928t5smW9gOm9iC 85oUvDYILVXH9eFHL5ey8rV2INkjrOidI5z2I9sTy/YfHz5KPsOKpnY3FVa9VrFT0CAC Hn74bcWMrMIzxLg4hSui5e6dSHsOpwnQS5ehHmIawbLSqht1P0YbM9ISHiX1k3NiaTgM 2oT38pd251Ljz2J38hH0PnW9uFrj8561MQsZWALoTb0Y0itbdvQtwrA3Ejxu1YgcexSa 66UA0HH9geelJ+1aNLJWAFl4lMz+BlonKjqV7mHLUzGW7HWbEnCSv4hcBZaxHLXy83Wu xKjw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=pSC0dcc71bjpwF9OhQe4pS4OEQeKNWAaXphapvJEJvo=; b=uE8Xoh2TPG7SR1CTzg+0XtaKmqaEtiyQCVS79r8DM1AUZTTV21m3iqXq2+R+AkZTOE c1lZcqkh4pAYE/Rr5muUnNCP9UOx9PzxnTFGxJBcXsQe021UWQ3qgj1OwSHAISA70hgk gBCLUl99AQ3UJJJ08NhQMJEykAf8Jlu5Jf0jyCiV29nZxlxuOOoEj5s85u6VIGp0KFBu BQ+VHuaNuEAl38nVDvRXYLrg7oer3dXtBURDUEgzlmoTM5DBva8QvknSPhWdo8DYjIWS sqnrImJ6hXctwyOJPKA6duNwJxQkAiZLHAb18I7+IqCJgCF44JLpZRlEXejK5J1PfpQb O+zQ==
X-Gm-Message-State: ANhLgQ3zWzoLJNvNeO3h3PYVZH4z8+8Z6XOuvIZdL1GL0QyC9wb07g2q D3Mdfmnqf1umDYp14xBokiyUhgID31s6mU+l+UF5FE/xTZM=
X-Google-Smtp-Source: =?utf-8?q?ADFU+vuQmEGTwxrV0Oj4EN+28N7W2lIT54IRGtHwgteC?= =?utf-8?q?pylMfUvWHubuumaN4ISlmBc9AUL0vxD8V09HDb1oQ19Lv0Y=3D?=
X-Received: by 2002:a2e:81cc:: with SMTP id s12mr12117455ljg.35.1584915400603; Sun, 22 Mar 2020 15:16:40 -0700 (PDT)
MIME-Version: 1.0
References: <EB7DEE42-8EC4-4347-BA10-0EBF90CBF398@heapingbits.net>
In-Reply-To: <EB7DEE42-8EC4-4347-BA10-0EBF90CBF398@heapingbits.net>
From: Eric Rescorla <ekr@rtfm.com>
Date: Sun, 22 Mar 2020 15:16:04 -0700
Message-ID: <CABcZeBP1RcZDdXrmuu9DEg5jhntzpKPCwCoSRjUfH_W=cFOCpw@mail.gmail.com>
To: Christopher Wood <caw@heapingbits.net>
Cc: "TLS@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000073c9d905a178df59"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Y_uulX7BZFi4smTmZTQWQh-d5xU>
Subject: Re: [TLS] Dropping "do not stick out" from ECHO
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 22 Mar 2020 22:16:45 -0000

I think we should relax this requirement. It's turning out to be hard
enough to design ECHO as-is.

If/when we get ECHO fully designed and widely deployed, we can then try to
find designs which use the same basic design but are more stealthy.

Trying to fix everything at once makes the best the enemy of the good.

-Ekr


On Sun, Mar 22, 2020 at 9:54 AM Christopher Wood <caw@heapingbits.net>
wrote:

> One of the original motivating requirements for ECHO (then ENSI) was "do
> not stick
> out" [1]. This complicates the current ECHO design, as clients must
> trial decrypt
> the first encrypted handshake message to determine whether a server used
> the inner
> or outer ClientHello for a given connection. It's also trivial to probe
> for ECHO
> support, e.g., by sending a bogus ECHO with the same key ID used in a
> target client
> connection and checking what comes back.
>
> I propose we remove this requirement and add an explicit signal in SH
> that says
> whether or not ECHO was negotiated. (This will require us to revisit
> GREASE.)
>
> What do others think?
>
> Thanks,
> Chris (no hat)
>
> [1]
> https://tools.ietf.org/html/draft-ietf-tls-sni-encryption-09#section-3.4
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>