IETF Logo Mail Archive

Re: [TLS] Alternative ESNI?

Eric Rescorla <ekr@rtfm.com> Sun, 16 December 2018 20:29 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 563DD12D4F0 for <tls@ietfa.amsl.com>; Sun, 16 Dec 2018 12:29:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.357
X-Spam-Level:
X-Spam-Status: No, score=-3.357 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-1.459, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OeeMqOuXV9Ia for <tls@ietfa.amsl.com>; Sun, 16 Dec 2018 12:29:46 -0800 (PST)
Received: from mail-lf1-x136.google.com (mail-lf1-x136.google.com [IPv6:2a00:1450:4864:20::136]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1088412D4EF for <tls@ietf.org>; Sun, 16 Dec 2018 12:29:46 -0800 (PST)
Received: by mail-lf1-x136.google.com with SMTP id f23so7913984lfc.13 for <tls@ietf.org>; Sun, 16 Dec 2018 12:29:45 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=3zUiGq02qt9hy3oOC293Ti57r7hTZpUVWi0BTPPGTzM=; b=SquYZFwLbLkT0Z1TQE5fikjlX73Zmix7lVRJ2vtOSePKTPPdWfRL4wqJwxciJ27ovn +xnhTP7Sa0rt4C/rDAK1Khae/u2PEhttGXR7ICR9aj6mVBOEHQJlKYCN7p1HBvuXAF8u RFbepX5N8qPcKtfslDWIR6KcwlNrwZtt+bUgasHZCf4umBAwxLvxvfA56kzWol2I0jxM xfIhGtAIKzJngMkwS5G+N6Kk+PffhWCS6CIAPEAqiiHPn1HgRK8AnfbzjxBp6znfgMIK z+UHNVc9qHfsHe/I8n/yIrLbV0HXsZmd3yiH0hmu0Or2i1ILzDoBr8J/ypxCvHv90Fh8 razg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=3zUiGq02qt9hy3oOC293Ti57r7hTZpUVWi0BTPPGTzM=; b=lDRBVHoqdzSSGZbWGZ4fYuSLfZRTHnVmLk7BIrBqL2SkF3IWaRaH2qsCVUgIw939Sf 21QgoWznG2JD1ELUHu/PPrtrIs7uw27iRTETOCI3xnUm6+cFnP4coWTqIPakMXZLcNoQ wkMOS/md4w83kLHYwAvZUwEMpfFZMGOc3jzMqJjfiS176I6Aq0QRlv55QPN6B2SMBnZG PAj/mZeCbI78LXUsxtlpNIB5OfanfCdljwHjSUS4k8c3ENsKyfev9q9PXpagoXuMQATW IQ8nP/d0qYWv0XSJhk7/yWT5LJiQ05IxOPAscKbwtH775cxvvdbH18WP7iczE7PjHotR eJhg==
X-Gm-Message-State: AA+aEWZcvtt2njoqzdzfmE+0CdO1p3LhVSOhP1YRbkwITSzgerUOt2ew VsaxLTFUasJ7NH+C/Smbs83QslXsPIHO9t8aeQ2lqg==
X-Google-Smtp-Source: AFSGD/WPbhPi2aV9/FIVCQ/B3c6ixlmN29sQhXz1t7/bqpqe+e+IXwB0F4+vU0dYZCaBCuUTiz4oPOD9sH31gKK3UWg=
X-Received: by 2002:a19:41c4:: with SMTP id o187mr6253177lfa.32.1544992184180; Sun, 16 Dec 2018 12:29:44 -0800 (PST)
MIME-Version: 1.0
References: <20181215025346.GJ15561@localhost> <CABcZeBM_7LF-UDH8NR3Kad-8zSJBWwuNsDEJVAagHf1cV4Ow6g@mail.gmail.com> <alpine.LRH.2.21.1812161439170.14874@bofh.nohats.ca>
In-Reply-To: <alpine.LRH.2.21.1812161439170.14874@bofh.nohats.ca>
From: Eric Rescorla <ekr@rtfm.com>
Date: Sun, 16 Dec 2018 12:29:07 -0800
Message-ID: <CABcZeBNyF6kP7iHZjDq0w+OtOOj5d67J8sCkLYwA5xaFTW8Q8Q@mail.gmail.com>
To: Paul Wouters <paul@nohats.ca>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000051ba32057d2986d0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/d6rQUgEPEPfIZpcbmtxB9L8heDY>
Subject: Re: [TLS] Alternative ESNI?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 16 Dec 2018 20:29:49 -0000

On Sun, Dec 16, 2018 at 11:45 AM Paul Wouters <paul@nohats.ca> wrote:

> On Fri, 14 Dec 2018, Eric Rescorla wrote:
>
> > However, in a large number of cases (e.g., an attacker on your local
> network,
> > there are non-DNSSEC ways of obtaining this property, such as using DoH.
>
> Data origin authenticity is not the same as transport security.
>

Yes, I'm quite aware of this fact.


DoH offers no guarantee that the non-dnssec protected information you
> received is not modified.
>

As with all things security, it depends on your threat model. If the
attacker you
are concerned with is between you and the DNS server, then in fact it does
provide protection.


Unfortunately, I keep needing to say this on various IETF lists. The
> move towards "blindly trusting DNS over HTTPS/TLS" servers is misguided
> and just moving the goal post.
>

I don't think this is a very accurate characterization of the situation. At
present,
the vast majority of DNS information is not DNSSEC protected [0], and yet we
have to rely on it. If there's a "blindly trusting" in this discussion,
it's that. DNS
over HTTPS is designed to improve the situation, though of course it's not
a panacea.

However in *this* case, it actually covers a pretty large fraction of the
threat
model, because (1) many attackers are close to the user and (2) if the
attacker
controls your DNS server, then they learn which site you are going to in
any case even before you send SNI. Even if all the attacker can do is
*modify*
records rather than observe queries, this is often enough. For censorship
applications,
they just serve a blackholed IP address, and for surveillance applications,
an
attacker with significant network capabilities can serve a dedicated IP for
each
server name and then forward the traffic.

Note that DNSSEC does not help very much in this case. If the attacker is
the server, they don't need to modify records, and if they are not the
server,
then DNSSEC protection relies upon the client hard-failing on DNSSEC
failures,
which generic clients do not do because it would cause unacceptable failure
rates.

-Ekr

[0] https://www.cs.umd.edu/~dml/papers/dnssec_imc17.pdf provides an overview
of the extremely depressing state of play; only 1% of .com is properly
signed
and about 30% of domains which have DNSSEC don't publish all the records
needed to verify the domain.

v2.23.0 | Report a Bug | By Email