IETF Logo Mail Archive

Re: [TLS] Final nail in the coffin for cleartext SNI/ALPN in TLS 1.3

Yoav Nir <ynir@checkpoint.com> Thu, 07 November 2013 20:07 UTC

Return-Path: <ynir@checkpoint.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C1F7A11E8275 for <tls@ietfa.amsl.com>; Thu, 7 Nov 2013 12:07:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.527
X-Spam-Level:
X-Spam-Status: No, score=-10.527 tagged_above=-999 required=5 tests=[AWL=0.071, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PEHHC6idZS27 for <tls@ietfa.amsl.com>; Thu, 7 Nov 2013 12:06:59 -0800 (PST)
Received: from smtp.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id 7900F11E829A for <tls@ietf.org>; Thu, 7 Nov 2013 12:06:49 -0800 (PST)
Received: from DAG-EX10.ad.checkpoint.com ([194.29.34.150]) by smtp.checkpoint.com (8.13.8/8.13.8) with ESMTP id rA7K6j5R006217; Thu, 7 Nov 2013 22:06:45 +0200
X-CheckPoint: {527BF150-0-1B221DC2-1FFFF}
Received: from IL-EX10.ad.checkpoint.com ([169.254.2.106]) by DAG-EX10.ad.checkpoint.com ([169.254.3.213]) with mapi id 14.03.0123.003; Thu, 7 Nov 2013 22:06:45 +0200
From: Yoav Nir <ynir@checkpoint.com>
To: Ralf Skyper Kaiser <skyper@thc.org>
Thread-Topic: [TLS] Final nail in the coffin for cleartext SNI/ALPN in TLS 1.3
Thread-Index: AQHO29cQ9VyMic6aPkyI1tVd5LOXZJoZ1sKAgAAGd4CAAAeWAIAABPCAgAAhNICAAAJPgIAAA0sA
Date: Thu, 07 Nov 2013 20:06:44 +0000
Message-ID: <19DC19A0-3620-4D05-A487-EC34BEBACE18@checkpoint.com>
References: <CA+BZK2qUE3oS6Sbp1HbKZ7Wgen9gEjjdepON1egLhGqCPpoVBw@mail.gmail.com> <CACsn0c=VWmsfxvE_17+FyBASUXPCNrS1FQQ02fzhF5rA6zx4wQ@mail.gmail.com> <CA+BZK2oAj6FmXTbDoY0oRHpHFVzeN-NmDJde2mJTwOzBW0CdiQ@mail.gmail.com> <EEF0FE50-3032-4C7B-BA07-1845CDEDA155@checkpoint.com> <eb6ba436dfc994f6079ba798d048a02c@mail.gmail.com> <68078EDD-F924-4AA5-A605-E7B688509EE3@checkpoint.com> <CA+BZK2q_f_JrdkdJRC1MirPH2yzRL2Y_28fi4e2MGdc5Uxnksg@mail.gmail.com>
In-Reply-To: <CA+BZK2q_f_JrdkdJRC1MirPH2yzRL2Y_28fi4e2MGdc5Uxnksg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [172.31.20.53]
x-kse-antivirus-interceptor-info: scan successful
x-kse-antivirus-info: Clean
Content-Type: multipart/alternative; boundary="_000_19DC19A036204D05A487EC34BEBACE18checkpointcom_"
MIME-Version: 1.0
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] Final nail in the coffin for cleartext SNI/ALPN in TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Nov 2013 20:07:08 -0000

On Nov 7, 2013, at 11:54 AM, Ralf Skyper Kaiser <skyper@thc.org<mailto:skyper@thc.org>>
 wrote:

Hi,


On Thu, Nov 7, 2013 at 7:46 PM, Yoav Nir <ynir@checkpoint.com<mailto:ynir@checkpoint.com>> wrote:
IMO, if both sites are either collocated on the same machine, or hosted behind the same SSL accelerator, they already share enough that multi-SAN is not a bad thing.

With SNI is it currently stands, the site you are looking for is sent in the clear. If we keep the choose-certificate functionality in 1.3, we still leave it exposed in either the SNI or in the certificate that the server sends. A generic certificate is the only one that hides what the client is browsing.
TLS mailing list

No, SNI can be send encrypted in TLS 1.3 with 'Reduced RT with Privacy' as presented by Eric yesterday. Key Exchange is done before SNI is send and auth is done as last. (What's now cleartext would then require detectable-active attack).


You mean the one in 5.1.1.2 ?

Yes, but the client still sends the SNI before receiving the certificate. This makes it still visible to an active attacker.  But you are right that a passive eavesdropper is now precluded.

Yoav

v2.23.0 | Report a Bug | By Email