IETF Logo Mail Archive

Re: [TLS] Working Group Last Call for ECH

Eric Rescorla <ekr@rtfm.com> Thu, 21 March 2024 05:46 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D9D6C151525 for <tls@ietfa.amsl.com>; Wed, 20 Mar 2024 22:46:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.903
X-Spam-Level:
X-Spam-Status: No, score=-6.903 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YFmsNhKkXY2b for <tls@ietfa.amsl.com>; Wed, 20 Mar 2024 22:46:54 -0700 (PDT)
Received: from mail-yb1-xb33.google.com (mail-yb1-xb33.google.com [IPv6:2607:f8b0:4864:20::b33]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6AC1FC15154D for <tls@ietf.org>; Wed, 20 Mar 2024 22:46:54 -0700 (PDT)
Received: by mail-yb1-xb33.google.com with SMTP id 3f1490d57ef6-db3a09e96daso470638276.3 for <tls@ietf.org>; Wed, 20 Mar 2024 22:46:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20230601.gappssmtp.com; s=20230601; t=1711000013; x=1711604813; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=yxSiKSqyfAaSNUFXgmZu44yQPA09XYHW4PzQrGCLxHM=; b=z61LPhw2VhYmpJFzPflAjS8NhQzeOUjaVfwFmeQKqTUzgg2eKDZpASe2E6NGcGRj/s 7/gPElCePm5edEdZsE5Oqyl6GZipsuSVR8mvjG6y9YN+tNzjrqeOBe6XiNhsJUJy30Z+ IfeuRvbm87zZYIJFVLJRTTWT4fbZAugYWtxhwkAlRRyn6ZouqDcx0CBQcps5LKymcPJ0 aMRCQRHEbvxR3HCJa1S5yrMuAmSo/JUZHpV2R+q+V4sXLV0auuK0XikH/ln+j4OlrAiI g28X+aZKhUKgdZLmfw/OFKTP6NKK/Wzfz3IQ8gx/pKpEV9XeYjsl4fOWTnV/V5j93XLn LAJw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711000013; x=1711604813; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=yxSiKSqyfAaSNUFXgmZu44yQPA09XYHW4PzQrGCLxHM=; b=aKEFBzELJD18TOTpPOwXFcWZKVcuX+L7xDPGKf9aQZ6LQLGL6CwHgwehRKPf91G1on AHeyx1ifFZsjv+VP/YhBrGc5HxjFyyAgaKxQp/gKfEjQk6j/Ui3+ni4vZO+fjoJToGiO MGJYOn/Rs+XjN/5a1awuyDpzJMlRiDlbWj4F8jhHqYPLPyUimr6kUS95GPf5ETchJjsX 6VvH1iFouBMFwiWxz52yHu2dIZlAFr/fL/woBi38NqfhtgGozESPVv5rZwWxT2HRFNKD xMSKAXjew+0TwvIjolwEi2yYQi1Nc+V8c5NO+kBCg6tTQwEZYx744vZ8uSY+V03T7Vme Mt3w==
X-Gm-Message-State: AOJu0YzDSzYJRt+myuaS0SgSP3WKZNFkiIjQgpKCHf+TzCmrzEKn9KNU 9IkGSclXsXMT8TZoux05ZZRLCfBhYu5mI26X1T4cfH8HTalz5EtA1BrWMgLSBXAbzNzWtdEcnLF 9LnKc98lcuJyeFF8xvE3UKWpsOxxeMDMY+ZDkt0ky/NSHuK0a
X-Google-Smtp-Source: AGHT+IGKgQPLFx9oBa2IXFF2pRQyqy+u5FJ3w/b/2G5VlZCjt2mf50NN8uztHtMiC5xl1EMgkhsNkeSDcmSCtqIN4cg=
X-Received: by 2002:a25:6813:0:b0:dd1:40dd:6631 with SMTP id d19-20020a256813000000b00dd140dd6631mr7371813ybc.3.1711000013488; Wed, 20 Mar 2024 22:46:53 -0700 (PDT)
MIME-Version: 1.0
References: <CAOgPGoD4iiJ7kivRo4xbe0peiMG3YdzUvmVHC2KvqnMOpm+N7Q@mail.gmail.com> <MEYP282MB35643E2F4A977C0FC051D006A32A2@MEYP282MB3564.AUSP282.PROD.OUTLOOK.COM> <CACsn0ckt5k_jJDp_RnWci94Li3AtcBiMfPehuLtdkAN-XoWtdQ@mail.gmail.com> <MEYP282MB3564E419539472CE1B5C5B1EA32A2@MEYP282MB3564.AUSP282.PROD.OUTLOOK.COM> <CABcZeBPK+jdirtxVPJWipXs0odhsqwsG088NC=OPpd4R=q16Zg@mail.gmail.com> <CAOG=JUKSjbPoz-xBHExrdgtSGTKYYTtnvO18o=qTm7eC2Anc4w@mail.gmail.com> <253111710344559@mail.yandex.com> <CABcZeBNMMvn0g_0dO3rvZfiB8K-5DmBWREVuZJL-r4zPjq_YWQ@mail.gmail.com> <CAOG=JUJRCdzbYaEfwP2pJfduE7=ChHTwpqO94=kzNs=8U1L_hA@mail.gmail.com> <CABcZeBP7mbdyGr4ECnfkOMb8Aj9Es_iFddYnv7sq5ZehS1D1dA@mail.gmail.com> <MEYP282MB35640378A952FD86311381B8A3292@MEYP282MB3564.AUSP282.PROD.OUTLOOK.COM> <CABcZeBMsdp-HJ-K2B3i81mNF1qWsHRYuDspquKA8Snae5CKtbw@mail.gmail.com> <MEYP282MB356410AFBE741EFCF86A5638A3322@MEYP282MB3564.AUSP282.PROD.OUTLOOK.COM>
In-Reply-To: <MEYP282MB356410AFBE741EFCF86A5638A3322@MEYP282MB3564.AUSP282.PROD.OUTLOOK.COM>
From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 20 Mar 2024 22:46:16 -0700
Message-ID: <CABcZeBM=0t6+fJk9Hwc1bX-xzZFbBjS1JZHTA89ucnvapxpqxw@mail.gmail.com>
To: Raghu Saxena <poiasdpoiasd@live.com>
Cc: tls@ietf.org
Content-Type: multipart/alternative; boundary="00000000000003e0d90614253ca4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/cwXPZfpvN-ZzgQoCjAxotNqoomY>
Subject: Re: [TLS] Working Group Last Call for ECH
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Mar 2024 05:46:58 -0000

On Wed, Mar 20, 2024 at 10:39 PM Raghu Saxena <poiasdpoiasd@live.com> wrote:

>
> On 3/15/24 00:02, Eric Rescorla wrote:
> >
> >
> >     So, if I understand correctly, for my domain "abc.com
> >     <http://abc.com>", I could
> >     purposely choose to have my ECHConfig public_name be "google.com
> >     <http://google.com>", and
> >
> >
> > As I said earlier, using "google.com <http://google.com>" would be
> > unwise because it
> > would allow Google to mount an attack where they terminated
> > the connection and replaced the ECHConfig. You should instead
> > use a name that is either unregistrable or that you control.
>
> Just so I understand correctly - the scope of the attack if they were to
> really intercept the TLS handshake and replace the ECHConfig, would
> allow them to "just" decrypt my ClientHelloInner, correct? Since
> ultimately the real origin I am connecting to (e.g. "mydomain.com") is
> not something they control, and so they can't present a valid cert for
> it and complete the full TLS connection (i.e. impersonate the true origin).
>

Correct.

-Ekr


At least this is what I understand from Section 6.1.7, specifically:
> "Note that authenticating a connection for the public name does not
> authenticate it for the origin. The TLS implementation MUST NOT report
> such connections as successful to the application."
>
> Regards,
>
> Raghu Saxena
>
>

v2.23.0 | Report a Bug | By Email