IETF Logo Mail Archive

Re: [TLS] Working Group Last Call for ECH

Amir Omidi <amir@aaomidi.com> Wed, 13 March 2024 16:21 UTC

Return-Path: <amir@aaomidi.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D710C165518 for <tls@ietfa.amsl.com>; Wed, 13 Mar 2024 09:21:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=aaomidi.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 81374TZn0cwe for <tls@ietfa.amsl.com>; Wed, 13 Mar 2024 09:21:27 -0700 (PDT)
Received: from mail-ej1-x631.google.com (mail-ej1-x631.google.com [IPv6:2a00:1450:4864:20::631]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EEFCCC1654F2 for <tls@ietf.org>; Wed, 13 Mar 2024 09:20:47 -0700 (PDT)
Received: by mail-ej1-x631.google.com with SMTP id a640c23a62f3a-a45cdb790dfso256266b.3 for <tls@ietf.org>; Wed, 13 Mar 2024 09:20:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aaomidi.com; s=google; t=1710346846; x=1710951646; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=PGOiUrb8I4rxXKgEfr5PADc9PK/Tg8DWCmjdfBKfhs4=; b=ALaRyseGlLnsnb4yZXw8ZZ6oO7+Rt7UxoJ8kEKNvedKodwdcxPe1R9TiaqmqDmXc6Y DyUTYJz3GVd6zVBTX2QfWYYyGxcivjogE0MAfC8znMepEwMLdMxCSOrJqkAZOcpJJ/DV 3ViJ85yQ2g9k9oijzQ+J6yufHAShlg59U0kRv+JBmHgCVv8yCkPury00r8GFNm73aGn1 sscvSjzRbAxYYFQUeXUuIPfBmdCw97wUo4fjGyCX2C9mnhafwedVk8ZlXmMCb+vBWah2 tSbu3I475v2QtMbBtoWV0HLBFOel7KxLa5r4a2bWDg5/V0ptR4im2R0firm4ZptL4XKf O3eQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710346846; x=1710951646; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=PGOiUrb8I4rxXKgEfr5PADc9PK/Tg8DWCmjdfBKfhs4=; b=KX0LMT2FUvoSYBAWS8Ukk32PhA1wzbAEKegSG+yj8HWHvxz9IhKIwUpMsH0lZZSNTA mxqwofEgJFUR3noe/HLAt8nXwQkE6kiCi+0BQ/ALN1SYkiAY/geBOmQXgd78f+EEF/pb 8dgblrKI8P0G/tXCVuG6Jg7hOtFg1cSR6b6HO0/9sjFMitbaZxGYT7o2tXNu4p86ewAc LO/nmXecAaeXea0wwY4zJQzOvBmWFBLaaChp8HfZK/2zf5VKMeechuVZgKhWHvuu3TkF 6SjV5Qnb8QwYAisedanzT/8Uyxu2H1Cus367QnfQRQwwQmmP9gfYMXHceHiiJWvpdc4C yxUA==
X-Forwarded-Encrypted: i=1; AJvYcCW4u9gIBAhqLU87MaOO4b2pYNVZJt2oVH/aY4n5g+anapf9NieKwUpGh08taEZDNtS/X6pkGp7qH+jWibo=
X-Gm-Message-State: AOJu0YxyciXFKGOxYrFWwdF0TQUuUlDk6V49PFwBa2lEZkZV4aWgSPQl vabWXoRjBzq6bARecTIfbn6qdsAQAuc2i9/R4qxoFDOWkibaRqrY9qc+D0JBYvp11Uu1/RlnOzv wGmomBLrNy9xOCvSp3x0Jjkq0j8fHPDYkXgDOtQ==
X-Google-Smtp-Source: AGHT+IH0zYDsMLUhoC7ccRUQzkABqoc32lne21RnQmWSeINsOAfkc9NuCfgFsbbH6Dvn1j9zK13IufBFyKciOMTITro=
X-Received: by 2002:a17:907:198e:b0:a46:522f:5211 with SMTP id li14-20020a170907198e00b00a46522f5211mr2368899ejc.2.1710346845900; Wed, 13 Mar 2024 09:20:45 -0700 (PDT)
MIME-Version: 1.0
References: <CAOgPGoD4iiJ7kivRo4xbe0peiMG3YdzUvmVHC2KvqnMOpm+N7Q@mail.gmail.com> <MEYP282MB35643E2F4A977C0FC051D006A32A2@MEYP282MB3564.AUSP282.PROD.OUTLOOK.COM> <CACsn0ckt5k_jJDp_RnWci94Li3AtcBiMfPehuLtdkAN-XoWtdQ@mail.gmail.com> <MEYP282MB3564E419539472CE1B5C5B1EA32A2@MEYP282MB3564.AUSP282.PROD.OUTLOOK.COM> <CABcZeBPK+jdirtxVPJWipXs0odhsqwsG088NC=OPpd4R=q16Zg@mail.gmail.com> <CAOG=JUKSjbPoz-xBHExrdgtSGTKYYTtnvO18o=qTm7eC2Anc4w@mail.gmail.com> <253111710344559@mail.yandex.com> <CABcZeBNMMvn0g_0dO3rvZfiB8K-5DmBWREVuZJL-r4zPjq_YWQ@mail.gmail.com>
In-Reply-To: <CABcZeBNMMvn0g_0dO3rvZfiB8K-5DmBWREVuZJL-r4zPjq_YWQ@mail.gmail.com>
From: Amir Omidi <amir@aaomidi.com>
Date: Wed, 13 Mar 2024 12:20:34 -0400
Message-ID: <CAOG=JUJRCdzbYaEfwP2pJfduE7=ChHTwpqO94=kzNs=8U1L_hA@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: A A <tom25519@yandex.com>, "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000031736006138d2812"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/duFXTSMzkArK-Dzd0-Gy1FJwXeU>
Subject: Re: [TLS] Working Group Last Call for ECH
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Mar 2024 16:21:31 -0000

> I don't think it's realistic for a generic client (e.g., a standard
browser) to omit or falsify this field.

Why not? From my understanding the issue that happens in this situation is
that the website becomes less reliable for these TLS clients?

If so, let that be a problem for the client to deal with. All this change
would do is something in security considerations along the lines of "to
make this protocol more censorship resistant, a TLS client MAY choose to
omit, or randomly generate the contents of `public_name`. A TLS Server
SHOULD handle these situations gracefully, and not actively reject the
client".

I do not like the idea of saying "some website can choose to do this". In
practice, very few websites will go down that route.

Are there any concerns if this approach is used?

On Wed, Mar 13, 2024 at 12:03 PM Eric Rescorla <ekr@rtfm.com> wrote:

>
>
> On Wed, Mar 13, 2024 at 8:49 AM A A <tom25519@yandex.com> wrote:
>
>> I think we should change outer SNI randomly and periodicity (e.g 1
>> hours), if it change fast enough, censor will need to pay a price to block
>> it,
>>
>
> This won't work because the public_name is part of the recovery mechanism
> for misconfiguration, which means that the server needs to have a valid
> certificate with that identity.
>
> -Ekr
>
>
>>
>> 13.03.2024, 23:40, "Amir Omidi" <amir=40aaomidi.com@dmarc.ietf.org>:
>>
>> I'd like to understand how the behavior of the latest draft will be under
>> an adversarial condition.
>>
>> One of the things that really excited me about ESNI back in the day was
>> effectively making it near impossible for countries, like my home country
>> Iran, from being able to effectively censor the web. AFAIK Iran's main
>> censorship mechanism revolves around looking for ClientHello's and then
>> sending a TCP reset when that SNI matches a censored domain.
>>
>> I'm wondering, are we losing that ability from ESNI with this plain text
>> field? Maybe there can be an understanding in the RFC that the client may
>> omit, or falsify this plaintext field for a bit of extra adversarial
>> security in these circumstances?
>>
>> On Wed, Mar 13, 2024 at 11:26 AM Eric Rescorla <ekr@rtfm.com> wrote:
>>
>>
>>
>> On Wed, Mar 13, 2024 at 2:15 AM Raghu Saxena <poiasdpoiasd@live.com>
>> wrote:
>>
>> On 3/13/24 14:51, Watson Ladd wrote:
>>
>> > I'm not sure what problem you want us to solve here. In the case of
>> > server offering a single domain, an attacker can determine that
>> > connections to that domain go to the server and cheaply block based on
>> > IP. As a result the threat model is one of distinguishing between
>> > connections to two different inner names.
>>
>> An IP can be cheaply recycled as well, for instance restarting a VPS on
>> a cloud provider. Furthermore, IP based blocking may even be discouraged
>> at a higher level, for the exact reason that IPs can change pretty
>> easily. As an operator, I might be able to migrate my hosting to a new
>> server provider (and hence IP) trivially, but informing my users of a
>> domain change is much harder.
>>
>>
>> Yes, but the attacker can easily learn these IPs merely by querying
>> the DNS. Moreover, they can learn the associated domains by sending
>> a CH with no SNI at all and seeing what's in the certificate.
>>
>>
>> > DNS does not propagate atomically with webserver configuration
>> > changes. It's thus necessary to deal with mismatches.
>> While this is true, if there is a configuration mismatch (and hence ECH
>> cannot work), why is the decision made for the server to transparently
>> "downgrade" it to non-ECH, instead of sending some kind of alert that
>> signifies the client to retry without ECH?
>>
>>
>> Three reasons:
>>
>> 1. Such an alert would be insecure because an attacker could forge it,
>> thus causing the client to send ECH in the clear.
>>
>> 2. It allows the server to be completely ECH unaware rather than needing
>> to special case an ECH alert.
>>
>> 3. It allows the server to securely provide a new ECHConfig.
>>
>> -Ekr
>>
>>
>>
>> Regards,
>>
>> Raghu Saxena
>>
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
>>
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
>>
>> ,
>>
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
>>
>>

v2.23.0 | Report a Bug | By Email