Re: [TLS] Encrypting record headers: practical for TLS 1.3 after all?

Peter Gutmann <> Fri, 04 December 2015 03:04 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id B7E8E1B2AB0 for <>; Thu, 3 Dec 2015 19:04:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id a3OfB0EfJrln for <>; Thu, 3 Dec 2015 19:04:02 -0800 (PST)
Received: from ( []) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id CF6D61B2AAF for <>; Thu, 3 Dec 2015 19:04:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;;; q=dns/txt; s=mail; t=1449198242; x=1480734242; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=OHmdX+u60byxy1ri20APQqHTEDtOKJSul2dizfeUykE=; b=M7dckb7cICQevpSmdTZ1ErthTvidLlkrE71PZJe1D/Kg/TDfGp1mjptS HmRHkVHx1KbhMD+Uuc7zHXjMPC1pmCMm1bS9s6viApOgbxyYDMw//8vQE mNqU4Z4G0hqhdGV9bilL0t+6nid14bcrVlUjqfkDbAg3efCwPQtae//A7 c0AVrOJKc7FajH9lT0Kqd7KaF8Az5JqoVZPb0yLF9rdn0vsWqnTSmPcVs w5bKB8RIZChgFyJtQ9j+oc/QLa+ZrUs9EGtf1+FlzQyxnrkQOEAV88FNs PYCPuUjD/sW8MP3CuItIHjARWpu/k4YBUUY7TVkD+UymBlQ11OcJMAHkq Q==;
X-IronPort-AV: E=Sophos;i="5.20,378,1444647600"; d="scan'208";a="57590242"
X-Ironport-Source: - Outgoing - Outgoing
Received: from ([]) by with ESMTP/TLS/AES256-SHA; 04 Dec 2015 16:03:57 +1300
Received: from ([]) by ([]) with mapi id 14.03.0266.001; Fri, 4 Dec 2015 16:03:57 +1300
From: Peter Gutmann <>
To: Jacob Appelbaum <>, "" <>
Thread-Topic: [TLS] Encrypting record headers: practical for TLS 1.3 after all?
Date: Fri, 04 Dec 2015 03:03:56 +0000
Message-ID: <>
References: <> <>, <>
In-Reply-To: <>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
x-originating-ip: []
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <>
Cc: "" <>
Subject: Re: [TLS] Encrypting record headers: practical for TLS 1.3 after all?
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 04 Dec 2015 03:04:06 -0000

Jacob Appelbaum <> writes:

>TCP/IP and DNS are out of scope, though obviously related.

Why are they out of scope?  You can't just ignore a threat if it's
inconvenient, you need to look at the overall picture.  Arguing over plugging
a mousehole in the corner of the barn is pointless when two of the four walls
are missing.  As Martin has pointed out:

  There are so many ways and places where the servername WILL be leaked,
  (URLs, bookmarks, HTTP-Header-Fields,  HTTP-Referer headers, etc.) that
  bottom line, encrypting SNI amounts to crazy and pointless idea.

I'm not sure if I'd call it crazy and pointless, just not worthwhile.  You're
leaking server-name information in a great many other locations and ways, and
encrypted SNIs causes so many problems, that the cost/benefit tradeoff doesn't
make it worthwhile (which, I guess, could be classed as "pointless").

Perhaps someone could write an RFC for a play-with-experimental-features TLS
extension, where implementers could encrypt lengths and SNIs and anything else
they want, and then test them out in the real world to see what effect it has.