IETF Logo Mail Archive

Re: [TLS] In support of encrypting SNI

Marsh Ray <maray@microsoft.com> Thu, 15 May 2014 21:50 UTC

Return-Path: <maray@microsoft.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A4851A014B for <tls@ietfa.amsl.com>; Thu, 15 May 2014 14:50:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TOdkzsvWQKnl for <tls@ietfa.amsl.com>; Thu, 15 May 2014 14:50:34 -0700 (PDT)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2lp0212.outbound.protection.outlook.com [207.46.163.212]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 969161A0144 for <tls@ietf.org>; Thu, 15 May 2014 14:50:34 -0700 (PDT)
Received: from BY2PR03MB554.namprd03.prod.outlook.com (10.141.141.156) by BY2PR03MB555.namprd03.prod.outlook.com (10.141.141.27) with Microsoft SMTP Server (TLS) id 15.0.944.11; Thu, 15 May 2014 21:50:25 +0000
Received: from BY2PR03MB554.namprd03.prod.outlook.com ([10.141.141.156]) by BY2PR03MB554.namprd03.prod.outlook.com ([10.141.141.156]) with mapi id 15.00.0939.000; Thu, 15 May 2014 21:50:25 +0000
From: Marsh Ray <maray@microsoft.com>
To: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] In support of encrypting SNI
Thread-Index: AQHPb/n1N51p6bJHgkerv5ryJDuvgptBbPkAgAC+D7A=
Date: Thu, 15 May 2014 21:50:24 +0000
Message-ID: <db6db54b9a8c48a0b2879298554116c0@BY2PR03MB554.namprd03.prod.outlook.com>
References: <537448DD.7010806@accessnow.org> <53749388.80009@cs.tcd.ie>
In-Reply-To: <53749388.80009@cs.tcd.ie>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [2001:4898:80e8:ed31::2]
x-forefront-prvs: 0212BDE3BE
x-forefront-antispam-report: SFV:NSPM; SFS:(6009001)(428001)(189002)(199002)(85852003)(83072002)(101416001)(15202345003)(86612001)(15188555004)(92566001)(86362001)(87936001)(15975445006)(19580395003)(4396001)(2656002)(76576001)(77096999)(83322001)(54356999)(99396002)(99286001)(76176999)(50986999)(79102001)(74316001)(77982001)(76482001)(21056001)(33646001)(561944003)(31966008)(74502001)(81342001)(74662001)(81542001)(46102001)(64706001)(20776003)(80022001)(24736002)(3826001); DIR:OUT; SFP:; SCL:1; SRVR:BY2PR03MB555; H:BY2PR03MB554.namprd03.prod.outlook.com; FPR:; MLV:sfv; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (: microsoft.com does not designate permitted sender hosts)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=maray@microsoft.com;
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.onmicrosoft.com
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/Yge5H7t_vSTi7PeV-0H0nNOpsYk
Subject: Re: [TLS] In support of encrypting SNI
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 May 2014 21:50:37 -0000

From: Stephen Farrell
http://www.ietf.org/mail-archive/web/tls/current/msg08722.html
> A workable SNI encryption scheme is of course what we'd like, 
> and would blow the above out of the water, but if we don't find
> a workable SNI encryption scheme now, there might be reasons
> to think about the structure above and there are definite
> reasons to think about tempora as an attack.

Dan Blah writes:
> Many of the discussions and subsequent decisions that move forward 
> here are incredibly important to OTF's work. As such, I wanted to toss 
> in our support for the coming version of TLS 1.3 to "Encrypt as much 
> of the handshake as possible". This should include all of the metadata 
> and TLS-layer routing information. We think by default is important 
> for those threatened users we work closely with.

From: Nikos Mavrogiannopoulos
> The best would be for TLS 1.3 not to bump the protocol version number.
> It could masquerade as TLS 1.2 and use extensions to negotiate any new
> functionality. That way it wouldn't have any interoperability issues
> (if we ignore for a moment the client hello size issues).

Apologies to those who have heard this before, but I lose stuff in the volume.

A couple of years back I made a detailed proposal precisely for encrypting
"as much of the handshake as possible" (including SNI) using
TLS 1.0-compatible extensions:

http://tools.ietf.org/id/draft-ray-tls-encrypted-handshake-00.txt
   This specification defines a Transport Layer Security (TLS) extension
   which allows endpoints to negotiate the use of encryption with
   forward secrecy at the beginning of the handshake.  Two levels of
   functionality are defined.  Implementations are free to support one
   or both levels, with the first level incurring no additional
   computational or round-trip overhead.  The TLS cryptographic
   calculations are unchanged.

The Introduction section describes my then-current thinking on the
topic. The ensuing list discussion felt productive:
http://www.ietf.org/mail-archive/web/tls/current/msg08722.html

- Marsh
---------------
Boilerplate disclaimers apply.

v2.23.0 | Report a Bug | By Email