Re: [TLS] Working Group Last Call for draft-ietf-tls-tls13-18 (Martin Rex) Thu, 10 November 2016 17:31 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 4197E12948B for <>; Thu, 10 Nov 2016 09:31:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.922
X-Spam-Status: No, score=-6.922 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id RQD4Ap1xm05q for <>; Thu, 10 Nov 2016 09:30:58 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 548D312947E for <>; Thu, 10 Nov 2016 09:30:58 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 3tF97N6YM3z1J35; Thu, 10 Nov 2016 18:30:56 +0100 (CET)
X-purgate-ID: 152705::1478799056-0000521C-AC3B6C46/0/0
X-purgate-size: 2293
X-purgate: clean
X-purgate: This mail is considered clean (visit for further information)
X-purgate-Ad: Categorized by eleven eXpurgate (R)
X-purgate-type: clean
X-SAP-SPAM-Status: clean
Received: from ( []) by (Postfix) with ESMTP id 3tF97M57tRzGny8; Thu, 10 Nov 2016 18:30:55 +0100 (CET)
Received: by (Postfix, from userid 10159) id A50691A57D; Thu, 10 Nov 2016 18:30:55 +0100 (CET)
In-Reply-To: <>
To: Benjamin Kaduk <>
Date: Thu, 10 Nov 2016 18:30:55 +0100
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <>
Archived-At: <>
Cc: "" <>
Subject: Re: [TLS] Working Group Last Call for draft-ietf-tls-tls13-18
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 10 Nov 2016 17:31:00 -0000

Benjamin Kaduk wrote:
[ Charset windows-1252 unsupported, converting... ]
> On 11/10/2016 11:13 AM, Martin Rex wrote:
> >
> > There is a concept called "provable correctness", and folks (such as
> > those from the miTLS implementation) are using this approach to check/prove
> > whether TLS provides certain security properties (rather than just
> > assuming that these properties are provided).
> >
> > If hiding of ContentType has *real* value, then this property will be
> > formally provable.  If the properties that someone asserts as value
> > can be proven to not exist (one counterexample is sufficient),
> > then the value is an illusion / obscurity, and definitely not real value.
> My understanding was that our current knowledge of what capabilities
> traffic analysis makes possible and the countermeasures against them is
> quite poor, certainly not to the level where rigorous proofs are
> possible.  So, I fear we must be operating "in the dark" in this regard
> for the near future.

Proving that something is secure can be pretty difficult, that is correct.

Proving that something is insecure can be pretty trivial (one counterexample
is sufficient).

For someone who does this formal proofing stuff regularly, it may already
be possible today to formally proof that hiding the ContentType can not
possibly provide any value.

Where is the value with hiding the ContentType of SSL Alerts?

We know that at least one implementations notoriously _not_ sends any alerts
before closing connnections.  The installed base has somehow managed
to live with it.  But it's often painful to figure out the cause of
handshake failures, and to distinguish a certain kind of server
accept()ing and silently closing a connection after hitting a bug
(or policy) from an overzealous firewall (NAT or "transparent internet proxy").

So if your implementation has anything to hide, performing a dirty
socket closure (resulting in a TCP RST) will be *MUCH* more effective
in hiding information from observers than hiding the TLS Alert ContentType.

Silent connection closures are certainly much more effective for leaving
rightful communication peers (&helpdesk &support) in the dark about why
the heck communication is failing.