[TLS] Implicit ECH Config for TLS 1.3 – addressing public_name fingerprinting
Nick Sullivan <nicholas.sullivan@gmail.com> Wed, 26 February 2025 07:15 UTC
Return-Path: <nicholas.sullivan@gmail.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 76D0119CA9F for <tls@mail2.ietf.org>; Tue, 25 Feb 2025 23:15:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.088
X-Spam-Level:
X-Spam-Status: No, score=-2.088 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietfa.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietfa.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WD7YtKu51wCk for <tls@mail2.ietf.org>; Tue, 25 Feb 2025 23:15:21 -0800 (PST)
Received: from mail-ed1-x52a.google.com (mail-ed1-x52a.google.com [IPv6:2a00:1450:4864:20::52a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 9C77C19CA49 for <TLS@ietf.org>; Tue, 25 Feb 2025 23:14:56 -0800 (PST)
Received: by mail-ed1-x52a.google.com with SMTP id 4fb4d7f45d1cf-5dee1626093so1042906a12.1 for <TLS@ietf.org>; Tue, 25 Feb 2025 23:14:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1740554095; x=1741158895; darn=ietf.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=PgUIf1YDPxsmFi7noGo/ofWIZzO+V9o+GymWyNZiyIE=; b=d3KuStFpaU4/r61Aoz+HitFoQ8wBIrvEOoV656ie70rSwa03YchfkA7pqvk1NVhL5q PbX4G6U97s2i7S3CuGLdLv1gSKDYDcpcjBXeirZwm4m/SN+yVwvLIB+alsfHTuDLsjJc xpL9JW6jCPpnTlrpbUwDl1MbelxvqX1HDJuxSMdoaeoWICBCcHaUAhiSVXAYbqHP5+kV ZquyFsCQmzO1SujAVeGw0pjts7Xjzx/DqZHpeyA0fEkKpCVsc2AGqZ/uTAgQln67bCZz 02oVU1gNPar+lZzVoIAY3eBR4Wt1KYFdeUrtUrwUyNdPrctsykZ64Fpnu9qkTc3TDyin oJJg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1740554095; x=1741158895; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=PgUIf1YDPxsmFi7noGo/ofWIZzO+V9o+GymWyNZiyIE=; b=LUvo9LYioDG0vj8oNE5cokBJxsNozwWNukedgbT2mo8sH6Mc41UCA3dFbmLflo3TKJ 0FMdLIWEQgXgqJMxSg6UNQ9024cJRYcJ3BVj3l9poLssuPtpCnyjsBsBxsWyYxh4Xgfs f9PASOUw/C+g6IaKUdOW0zwSlVprW64eQDryHiI4WlxVtMyY0Id2sH+iZoEIsbLJDG6E JEtRvV8oESd1bAbppoM3vl1TmiODBR9Mj2Rt2HXVNG4QPDMuDNmxPFKccScFrgxXQukF 4WgzCuybnpmTYqtlmYGQEuoiXBtQsMdwpDDq94EEVPo038wy0P4WScZUZh19QK9sG+G2 7INQ==
X-Gm-Message-State: AOJu0YztmUxxFYr68PtEoftT6fJu3LebWf3KNe6MNC70doL+b/o3WiOt POPKLhpLxnQxuvSvoCZAL/dEu6l3AT2qqql0xebvdZ2o1a1XPPy6UIAb01drNBzgUVEVUZP3QvF eDR1Wl4p4Hxd2VJBQ9uzOA/OXugw8+asZO+GJAZpw0rA=
X-Gm-Gg: ASbGncsofMHckYNzh24oK2VifxK++wiBGd9WrWzar0k7fc1b1uTzyyiWL3lVOHm72Hc jNXiySNLwsiM3+WiFS1uEIWqKWpWTSZzbq2bl0JQMy0FVzxEx8E4HA5DcQIdGuh2lI6g36tuVEg azKT7sFzGc+XTqKA==
X-Google-Smtp-Source: AGHT+IGDCe6QEyUz+xysJdvOXcZFpMA5FOobLhJrrsDAuPmdFJ4MvUiV5KkLXsXPreuOPaEpP7S/usHtN84RT8dVMks=
X-Received: by 2002:a05:6402:1ecf:b0:5e0:8a3f:ef65 with SMTP id 4fb4d7f45d1cf-5e0b62f9bbdmr20424894a12.7.1740554094376; Tue, 25 Feb 2025 23:14:54 -0800 (PST)
MIME-Version: 1.0
From: Nick Sullivan <nicholas.sullivan@gmail.com>
Date: Wed, 26 Feb 2025 15:14:42 +0800
X-Gm-Features: AQ5f1JrnHm0fzUUhP4xi15DZ5MvWUFad6xN71nsIYDGvYtiOGsvkn48kUxOJLGg
Message-ID: <CAOjisRzBNG2KdAZXssnR9Ura9HuAUKxOH+VLCAE5B9MfYyeT2A@mail.gmail.com>
To: "tls@ietf.org" <TLS@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000820201062f0654ec"
Message-ID-Hash: WPNXPWEZIIM4NMD73GCF2BOOWJ352XIF
X-Message-ID-Hash: WPNXPWEZIIM4NMD73GCF2BOOWJ352XIF
X-MailFrom: nicholas.sullivan@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Implicit ECH Config for TLS 1.3 – addressing public_name fingerprinting
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/dT5e5F1yWtFbs0dpESsWO-Cg0AM>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>
Hi everyone, I’ve put together a draft, “Implicit ECH Configuration for TLS 1.3” ( https://www.ietf.org/archive/id/draft-sullivan-tls-implicit-ech-00.html) as a potential starting point for improving ECH’s “do not stick out” compliance. Global deployments of ECH have become biased because a single public_name dominates most ECH connections, making it a prime target for fingerprinting (see https://github.com/net4people/bbs/issues/417) As discussed on the TLS WG mailing list (see https://mailarchive.ietf.org/arch/msg/tls/4rq4sZzpI9rjYgDLJ2IO-vG9DRw/) the outer SNI remains the primary identifier that enables on-path adversaries to identify ECH traffic. To mitigate these linkability risks, various past proposals were considered. One idea was to randomize or override the outer SNI rather than always using the provided public_name. For example, Stephen Farrell suggested allowing clients to use an arbitrary or blank outer SNI (for certain use cases like censorship circumvention). This would, in theory, make the outer handshake less predictable, increasing traffic diversity across ECH connections. However, others in the WG (e.g. Chris Wood) cautioned that relaxing this requirement essentially reintroduces domain fronting, a side-effect the group was wary of. The consensus was that fallback reliability and simplicity favored sticking with the public_name in SNI. See Github discussions: https://github.com/tlswg/draft-ietf-tls-esni/issues/396 <https://github.com/tlswg/draft-ietf-tls-esni/issues/396#:~:text=For%20at%20least%20command%20line,benefit%20from%20that%20option%20too> . Relatedly, early drafts used an 8-byte config_id, but as documented in discussions around 2020-2021, it was shortened to one byte to reduce its uniqueness and tracking potential—a change that was well received by privacy advocates yet noted by implementers as complicating the deployment complexity for multi-key scenarios, though not enough to hinder deployment. Implicit ECH Configuration, introduced in draft-sullivan-tls-implicit-ech-00, builds on this prior work to propose a mode of ECH that minimizes explicit signaling of the server’s identity. This draft introduces an optional “implicit” mode via a new extension in ECHConfigContents. When this extension is present, clients MAY choose any valid outer SNI and a randomized config_id instead of relying on a potentially globally dominant public_name. Client-facing servers, in turn, MUST perform uniform trial decryption to ensure that every handshake is processed identically, regardless of whether a valid or a phony config_id or outer SNI is provided. This approach enables clients to adopt custom strategies for maintaining broad reachability, ensuring that a single public_name does not become a reliable way for external observers to distinguish ECH from ECH GREASE at scale. It is also useful for improving privacy when client-facing servers support only one or a small number of domains, as it enables clients to choose the outer SNI such that it is not merely a direct stand-in for the inner name. Importantly, I don’t believe this approach reintroduces domain fronting. It’s not possible to use implicit configuration ECH to connect to one site on a server and then trick that server into serving HTTP responses for a second, different site when the TLS certificate used to establish the connection is not authoritative for that second site – the essential thing that distinguishes domain fronting from other techniques. Implicit mode effectively relegates the outer SNI to a mostly symbolic role for these connections, used solely for ensuring network reachability—similar to how certain legacy TLS 1.2 messages were retained in TLS 1.3 to address network ossification issues. This change may have fit into the main ECH draft if it had been proposed earlier. However, ECH has already been submitted to IESG for publication, so I put this together as a standalone extension. I welcome your feedback on this proposal as we work to reduce fingerprinting risks without sacrificing deployability. Nick
- [TLS] Implicit ECH Config for TLS 1.3 – addressin… Nick Sullivan
- [TLS] Re: Implicit ECH Config for TLS 1.3 – addre… Raghu Saxena
- [TLS] Re: Implicit ECH Config for TLS 1.3 – addre… Yaroslav Rosomakho
- [TLS] Re: Implicit ECH Config for TLS 1.3 – addre… Yaroslav Rosomakho
- [TLS] Re: Implicit ECH Config for TLS 1.3 – addre… Nick Sullivan
- [TLS] Re: Implicit ECH Config for TLS 1.3 – addre… Loganaden Velvindron
- [TLS] Re: Implicit ECH Config for TLS 1.3 – addre… Eric Rescorla
- [TLS] Re: Implicit ECH Config for TLS 1.3 – addre… Nick Sullivan
- [TLS] Re: Implicit ECH Config for TLS 1.3 – addre… Nick Sullivan
- [TLS] Re: Implicit ECH Config for TLS 1.3 – addre… Stephen Farrell
- [TLS] Re: Implicit ECH Config for TLS 1.3 – addre… Christopher Patton
- [TLS] Re: Implicit ECH Config for TLS 1.3 – addre… Martin Thomson
- [TLS] Re: Implicit ECH Config for TLS 1.3 – addre… Stephen Farrell
- [TLS] Re: Implicit ECH Config for TLS 1.3 – addre… Kazuho Oku