IETF Logo Mail Archive

[TLS] ECH not protect SNI

涛叔 <hi@taoshu.in> Thu, 18 August 2022 23:05 UTC

Return-Path: <hi@taoshu.in>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 00D24C1524D0 for <tls@ietfa.amsl.com>; Thu, 18 Aug 2022 16:05:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IQJZUifZKg3M for <tls@ietfa.amsl.com>; Thu, 18 Aug 2022 16:05:21 -0700 (PDT)
Received: from relay12.mail.gandi.net (relay12.mail.gandi.net [217.70.178.232]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 64A49C1524C6 for <tls@ietf.org>; Thu, 18 Aug 2022 16:05:20 -0700 (PDT)
Received: from smtpclient.apple (unknown [114.88.164.186]) (Authenticated sender: hi@taoshu.in) by mail.gandi.net (Postfix) with ESMTPSA id 9F3C8200002 for <tls@ietf.org>; Thu, 18 Aug 2022 23:05:12 +0000 (UTC)
From: 涛叔 <hi@taoshu.in>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.0.8.1.1\))
Message-Id: <5D283623-EBD0-42AE-B753-EDD221D05F1C@taoshu.in>
Date: Fri, 19 Aug 2022 07:04:58 +0800
To: tls@ietf.org
X-Mailer: Apple Mail (2.3731.0.8.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/bZaAbCPNGLMV95G1aoX7Ny9TJvA>
Subject: [TLS] ECH not protect SNI
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Aug 2022 23:05:26 -0000

Hello, Guys,

I have read the draft-ietf-tls-esni-14, and found the ECH does not protect the SNI.

Because if the client use the outdated ECH config to encrypted the ClientHelloInner,
it will not be decrypted by the client facing server.

In order to correct the client, the server will finish the handshake using the
ClientHelloOuter, which has its own SNI. And the server will send new ECH configs
encrypted by its SSL certificate. So the client can verify the new configs is valid.

In my own opinion, this design only hide the original SNI, but still depends the
client-facing server's domain name. It has two drawbacks:

1. If one domain want to deploy ECH in share mode, it have to offer one addition domain
for the ClientHelloOuter.
2. Even the real domain will be encrypted, the shared domain don't. And if the outs
domain been blocked, all the inner domain will gone.

So my question is why not just use the DNSSEC method the correct the client who
has some outed ECH configs?

If the client-facing can not decrypted the ClientHelloInner, all it needs to do is
send the new HTTPS DNS records and their RRSIGs. And the client can validate them by
the DNSSEC methods.

By this design, there is no need to establish the outer TLS handshake. And no additional
outer domain any more. The client does not need to know or deploy two domain as well.

And for almost TLS handshake, their even no need to a SSL certificates. Because we can
deploy some public key by the DNS, and make a PSK handshake to the server.

So why the working group does not choose the DNSSEC method?

Thanks

Taoshu(涛叔)

v2.23.0 | Report a Bug | By Email