IETF Logo Mail Archive

Re: [TLS] Working Group Last Call for ECH

Amir Omidi <amir@aaomidi.com> Wed, 13 March 2024 15:40 UTC

Return-Path: <amir@aaomidi.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7EB20C14F74E for <tls@ietfa.amsl.com>; Wed, 13 Mar 2024 08:40:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.105
X-Spam-Level:
X-Spam-Status: No, score=-7.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=aaomidi.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nzKjBg4P-Udb for <tls@ietfa.amsl.com>; Wed, 13 Mar 2024 08:40:37 -0700 (PDT)
Received: from mail-ej1-x62a.google.com (mail-ej1-x62a.google.com [IPv6:2a00:1450:4864:20::62a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DA45DC14F680 for <tls@ietf.org>; Wed, 13 Mar 2024 08:40:37 -0700 (PDT)
Received: by mail-ej1-x62a.google.com with SMTP id a640c23a62f3a-a28a6cef709so802668766b.1 for <tls@ietf.org>; Wed, 13 Mar 2024 08:40:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aaomidi.com; s=google; t=1710344436; x=1710949236; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=HCWiN2nuZ4WR0fPTdG8WlsSrGUV19nEQdsKsNorFxog=; b=XmTF1HyfLcRoTttyD2mp60IfntKD4AbFo5PfYDSRrjeoIkYsf/nw52tQOIqQMh1wii /7HLRyfbSIxIodRQrn4Ro7JwydjKeLqp2LEI0f9yiRGyEB4vBq9nhP2yAiY0HrgVqgf/ YCzuNnksLcrNkeIk2NWJ0cWsCcgZARbkY3pLgNcQ/r02ZvNwLt47xXXO74QT2Y3FvFiO nh7aE6+sTvx1CWVJEcWQdtMchaDB24vLjOmjn6gxy4ZSeblrt+/KM3qFlFzGT8dR2F9D eG7BhVTImVERlyRv37c7omDQk7Nk75gPkyskjoGBHD5nzTDJPEOEXGVGbZ/7ovbNrdLB 3O6g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710344436; x=1710949236; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=HCWiN2nuZ4WR0fPTdG8WlsSrGUV19nEQdsKsNorFxog=; b=sGQipH/Itt/Qaqx1VBIQhaoyVeailYg1XKvDqxx825fcBg6fGjgrFSpADjERoBjhnq 1EZ1r8Dz93tzl6jpXKFLExVnss+didTCqLSFbeNs1eGBTqj6V5kVgIFJOk8Gc9b6qAme IVNEDmLL4IjSeNth1OkSzwy7o+JY8BDb8BsScyLkOhrSWzEEvYNhBqCsVx1d4A/zdNoj OEqYLZBjfuj8mxQ6GrlBfCdHzJj04JVNbMKBeJoMo5wZGGrvcjU36mMsCxk8+EOUEJJ2 tbvYEnXEbnFUXWfT9HxPDMNlIcBhnaDW/m8+YjyJlTmZAB/wdtUX2hDNjuMHwyforFK4 o3Mw==
X-Forwarded-Encrypted: i=1; AJvYcCXOaEGxvQKkfgedWk6Zs0Wnig9G0LdGIy7fVI03vOEPWTVaAHwwyK2kKjLdcyAlY2lJumteKKs77Z2tsn8=
X-Gm-Message-State: AOJu0YyFMi1Ap2HsZYmh21hPMSTID0wHKTyKnJS+clDT9B7QAWLp7hxT RogjMwRVWXKyauvThNO91S9OC1g48xhXrFyaY0nn932YERwK1d7dcmam5NfoP9up5JUSNFB5qbk 82KQx4WNQYcFnV4VVzHTBBPN6o0DpXiek6TJV3rPB2E+zCg1b
X-Google-Smtp-Source: AGHT+IFm+9IsasWCJhyIZidTf2NFHnUV9FfQaj9qgF4c1oke6AChBFYbSZkOJ42Hg4z64Zjhyb3ZcOkfSgYqwfaVOOo=
X-Received: by 2002:a17:906:2616:b0:a44:30f8:ff45 with SMTP id h22-20020a170906261600b00a4430f8ff45mr7722995ejc.52.1710344435559; Wed, 13 Mar 2024 08:40:35 -0700 (PDT)
MIME-Version: 1.0
References: <CAOgPGoD4iiJ7kivRo4xbe0peiMG3YdzUvmVHC2KvqnMOpm+N7Q@mail.gmail.com> <MEYP282MB35643E2F4A977C0FC051D006A32A2@MEYP282MB3564.AUSP282.PROD.OUTLOOK.COM> <CACsn0ckt5k_jJDp_RnWci94Li3AtcBiMfPehuLtdkAN-XoWtdQ@mail.gmail.com> <MEYP282MB3564E419539472CE1B5C5B1EA32A2@MEYP282MB3564.AUSP282.PROD.OUTLOOK.COM> <CABcZeBPK+jdirtxVPJWipXs0odhsqwsG088NC=OPpd4R=q16Zg@mail.gmail.com>
In-Reply-To: <CABcZeBPK+jdirtxVPJWipXs0odhsqwsG088NC=OPpd4R=q16Zg@mail.gmail.com>
From: Amir Omidi <amir@aaomidi.com>
Date: Wed, 13 Mar 2024 11:40:23 -0400
Message-ID: <CAOG=JUKSjbPoz-xBHExrdgtSGTKYYTtnvO18o=qTm7eC2Anc4w@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: Raghu Saxena <poiasdpoiasd@live.com>, tls@ietf.org
Content-Type: multipart/alternative; boundary="000000000000868db006138c9821"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/c-jVdM8TFFSeHdEcyeC7SkXRJP0>
Subject: Re: [TLS] Working Group Last Call for ECH
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Mar 2024 15:40:41 -0000

I'd like to understand how the behavior of the latest draft will be under
an adversarial condition.

One of the things that really excited me about ESNI back in the day was
effectively making it near impossible for countries, like my home country
Iran, from being able to effectively censor the web. AFAIK Iran's main
censorship mechanism revolves around looking for ClientHello's and then
sending a TCP reset when that SNI matches a censored domain.

I'm wondering, are we losing that ability from ESNI with this plain text
field? Maybe there can be an understanding in the RFC that the client may
omit, or falsify this plaintext field for a bit of extra adversarial
security in these circumstances?

On Wed, Mar 13, 2024 at 11:26 AM Eric Rescorla <ekr@rtfm.com> wrote:

>
>
> On Wed, Mar 13, 2024 at 2:15 AM Raghu Saxena <poiasdpoiasd@live.com>
> wrote:
>
>> On 3/13/24 14:51, Watson Ladd wrote:
>>
>> > I'm not sure what problem you want us to solve here. In the case of
>> > server offering a single domain, an attacker can determine that
>> > connections to that domain go to the server and cheaply block based on
>> > IP. As a result the threat model is one of distinguishing between
>> > connections to two different inner names.
>>
>> An IP can be cheaply recycled as well, for instance restarting a VPS on
>> a cloud provider. Furthermore, IP based blocking may even be discouraged
>> at a higher level, for the exact reason that IPs can change pretty
>> easily. As an operator, I might be able to migrate my hosting to a new
>> server provider (and hence IP) trivially, but informing my users of a
>> domain change is much harder.
>>
>
> Yes, but the attacker can easily learn these IPs merely by querying
> the DNS. Moreover, they can learn the associated domains by sending
> a CH with no SNI at all and seeing what's in the certificate.
>
>
> > DNS does not propagate atomically with webserver configuration
>> > changes. It's thus necessary to deal with mismatches.
>> While this is true, if there is a configuration mismatch (and hence ECH
>> cannot work), why is the decision made for the server to transparently
>> "downgrade" it to non-ECH, instead of sending some kind of alert that
>> signifies the client to retry without ECH?
>>
>
> Three reasons:
>
> 1. Such an alert would be insecure because an attacker could forge it,
> thus causing the client to send ECH in the clear.
>
> 2. It allows the server to be completely ECH unaware rather than needing
> to special case an ECH alert.
>
> 3. It allows the server to securely provide a new ECHConfig.
>
> -Ekr
>
>
>
>> Regards,
>>
>> Raghu Saxena
>>
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
>>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

v2.23.0 | Report a Bug | By Email