IETF Logo Mail Archive

Re: [TLS] Working Group Last Call for ECH

A A <tom25519@yandex.com> Wed, 13 March 2024 15:49 UTC

Return-Path: <tom25519@yandex.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D19F8C14F617 for <tls@ietfa.amsl.com>; Wed, 13 Mar 2024 08:49:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.378
X-Spam-Level:
X-Spam-Status: No, score=-1.378 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, HTML_MIME_NO_HTML_TAG=0.377, MIME_HTML_ONLY=0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=yandex.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6jT_5Blnlfnc for <tls@ietfa.amsl.com>; Wed, 13 Mar 2024 08:49:28 -0700 (PDT)
Received: from forward502a.mail.yandex.net (forward502a.mail.yandex.net [178.154.239.82]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D3FD2C14F5E8 for <tls@ietf.org>; Wed, 13 Mar 2024 08:49:27 -0700 (PDT)
Received: from mail-nwsmtp-mxback-production-main-34.vla.yp-c.yandex.net (mail-nwsmtp-mxback-production-main-34.vla.yp-c.yandex.net [IPv6:2a02:6b8:c0d:391c:0:640:65a5:0]) by forward502a.mail.yandex.net (Yandex) with ESMTPS id 9729B61707; Wed, 13 Mar 2024 18:49:24 +0300 (MSK)
Received: from mail.yandex.com (2a02:6b8:c15:2a91:0:640:d5d6:0 [2a02:6b8:c15:2a91:0:640:d5d6:0]) by mail-nwsmtp-mxback-production-main-34.vla.yp-c.yandex.net (mxback/Yandex) with HTTP id MnpaHN2OAKo0-ArxlwEXT; Wed, 13 Mar 2024 18:49:24 +0300
X-Yandex-Fwd: 2
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.com; s=mail; t=1710344964; bh=paXmdWwGuq23+jZ6NTPS1uSIWWNnc1RjYp4IefMIUy4=; h=Message-Id:Cc:Subject:In-Reply-To:Date:References:To:From; b=d5Hv9fPR68UVfqmRKCK3ZsIFQ1yKgUNDfgbcH290yUmgZ14TBddRWkid6Fc3qaMw3 ksOGxFYelBZqba9cxn6JqYWvA+a/T54n9wsFUzX9FcYHSIXHTP/uGZ/nBG7aG7Tvbs 1OalrZP7e0EnAK1WHQWCH20dQFeNzprykknyNRJc=
Authentication-Results: mail-nwsmtp-mxback-production-main-34.vla.yp-c.yandex.net; dkim=pass header.i=@yandex.com
Received: from zoi6tk2f4jzk7zd7.iva.yp-c.yandex.net (zoi6tk2f4jzk7zd7.iva.yp-c.yandex.net [2a02:6b8:c0c:7a17:0:640:a0d6:0]) by mail-nwsmtp-mxback-production-main-87.iva.yp-c.yandex.net (mxback/Yandex) with HTTP id dmpogH2M3uQ0-rZkstRat for <tom25519@yandex.com>; Wed, 13 Mar 2024 18:49:14 +0300
Received: by zoi6tk2f4jzk7zd7.iva.yp-c.yandex.net with HTTP; Wed, 13 Mar 2024 18:49:13 +0300
From: A A <tom25519@yandex.com>
Envelope-From: tom25519@yandex.com
To: Amir Omidi <amir=40aaomidi.com@dmarc.ietf.org>, Eric Rescorla <ekr@rtfm.com>
Cc: "tls@ietf.org" <tls@ietf.org>
In-Reply-To: <CAOG=JUKSjbPoz-xBHExrdgtSGTKYYTtnvO18o=qTm7eC2Anc4w@mail.gmail.com>
References: <CAOgPGoD4iiJ7kivRo4xbe0peiMG3YdzUvmVHC2KvqnMOpm+N7Q@mail.gmail.com> <MEYP282MB35643E2F4A977C0FC051D006A32A2@MEYP282MB3564.AUSP282.PROD.OUTLOOK.COM> <CACsn0ckt5k_jJDp_RnWci94Li3AtcBiMfPehuLtdkAN-XoWtdQ@mail.gmail.com> <MEYP282MB3564E419539472CE1B5C5B1EA32A2@MEYP282MB3564.AUSP282.PROD.OUTLOOK.COM> <CABcZeBPK+jdirtxVPJWipXs0odhsqwsG088NC=OPpd4R=q16Zg@mail.gmail.com> <CAOG=JUKSjbPoz-xBHExrdgtSGTKYYTtnvO18o=qTm7eC2Anc4w@mail.gmail.com>
MIME-Version: 1.0
X-Mailer: Yamail [ http://yandex.ru ] 5.0
Date: Wed, 13 Mar 2024 23:49:23 +0800
Message-Id: <253111710344559@mail.yandex.com>
Content-Transfer-Encoding: base64
Content-Type: text/html; charset="utf-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/ZMp92qoPr3Ulk3cvDjraTB4O0CA>
Subject: Re: [TLS] Working Group Last Call for ECH
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Mar 2024 15:49:31 -0000

I think we should change outer SNI randomly and periodicity (e.g 1 hours), if it change fast enough, censor will need to pay a price to block it,


13.03.2024, 23:40, "Amir Omidi" <amir=40aaomidi.com@dmarc.ietf.org>:
I'd like to understand how the behavior of the latest draft will be under an adversarial condition.

One of the things that really excited me about ESNI back in the day was effectively making it near impossible for countries, like my home country Iran, from being able to effectively censor the web. AFAIK Iran's main censorship mechanism revolves around looking for ClientHello's and then sending a TCP reset when that SNI matches a censored domain.

I'm wondering, are we losing that ability from ESNI with this plain text field? Maybe there can be an understanding in the RFC that the client may omit, or falsify this plaintext field for a bit of extra adversarial security in these circumstances?

On Wed, Mar 13, 2024 at 11:26 AM Eric Rescorla <ekr@rtfm.com> wrote:


On Wed, Mar 13, 2024 at 2:15 AM Raghu Saxena <poiasdpoiasd@live.com> wrote:
On 3/13/24 14:51, Watson Ladd wrote:

> I'm not sure what problem you want us to solve here. In the case of
> server offering a single domain, an attacker can determine that
> connections to that domain go to the server and cheaply block based on
> IP. As a result the threat model is one of distinguishing between
> connections to two different inner names.

An IP can be cheaply recycled as well, for instance restarting a VPS on
a cloud provider. Furthermore, IP based blocking may even be discouraged
at a higher level, for the exact reason that IPs can change pretty
easily. As an operator, I might be able to migrate my hosting to a new
server provider (and hence IP) trivially, but informing my users of a
domain change is much harder.

Yes, but the attacker can easily learn these IPs merely by querying
the DNS. Moreover, they can learn the associated domains by sending
a CH with no SNI at all and seeing what's in the certificate.
 

> DNS does not propagate atomically with webserver configuration
> changes. It's thus necessary to deal with mismatches.
While this is true, if there is a configuration mismatch (and hence ECH
cannot work), why is the decision made for the server to transparently
"downgrade" it to non-ECH, instead of sending some kind of alert that
signifies the client to retry without ECH?

Three reasons:

1. Such an alert would be insecure because an attacker could forge it,
thus causing the client to send ECH in the clear.

2. It allows the server to be completely ECH unaware rather than needing
to special case an ECH alert.

3. It allows the server to securely provide a new ECHConfig.

-Ekr



Regards,

Raghu Saxena

_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls" rel="noreferrer nofollow" target="_blank">https://www.ietf.org/mailman/listinfo/tls
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls" rel="noreferrer nofollow" target="_blank">https://www.ietf.org/mailman/listinfo/tls
,

_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls" rel="nofollow">https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email