Re: [TLS] Encrypting record headers: practical for TLS 1.3 after all?

Peter Gutmann <pgut001@cs.auckland.ac.nz> Fri, 04 December 2015 03:04 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B7E8E1B2AB0 for <tls@ietfa.amsl.com>; Thu, 3 Dec 2015 19:04:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Level:
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a3OfB0EfJrln for <tls@ietfa.amsl.com>; Thu, 3 Dec 2015 19:04:02 -0800 (PST)
Received: from mx4.auckland.ac.nz (mx4.auckland.ac.nz [130.216.125.248]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CF6D61B2AAF for <tls@ietf.org>; Thu, 3 Dec 2015 19:04:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1449198242; x=1480734242; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=OHmdX+u60byxy1ri20APQqHTEDtOKJSul2dizfeUykE=; b=M7dckb7cICQevpSmdTZ1ErthTvidLlkrE71PZJe1D/Kg/TDfGp1mjptS HmRHkVHx1KbhMD+Uuc7zHXjMPC1pmCMm1bS9s6viApOgbxyYDMw//8vQE mNqU4Z4G0hqhdGV9bilL0t+6nid14bcrVlUjqfkDbAg3efCwPQtae//A7 c0AVrOJKc7FajH9lT0Kqd7KaF8Az5JqoVZPb0yLF9rdn0vsWqnTSmPcVs w5bKB8RIZChgFyJtQ9j+oc/QLa+ZrUs9EGtf1+FlzQyxnrkQOEAV88FNs PYCPuUjD/sW8MP3CuItIHjARWpu/k4YBUUY7TVkD+UymBlQ11OcJMAHkq Q==;
X-IronPort-AV: E=Sophos;i="5.20,378,1444647600"; d="scan'208";a="57590242"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 130.216.4.171 - Outgoing - Outgoing
Received: from uxchange10-fe4.uoa.auckland.ac.nz ([130.216.4.171]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 04 Dec 2015 16:03:57 +1300
Received: from UXCN10-5.UoA.auckland.ac.nz ([169.254.5.153]) by uxchange10-fe4.UoA.auckland.ac.nz ([169.254.109.63]) with mapi id 14.03.0266.001; Fri, 4 Dec 2015 16:03:57 +1300
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Jacob Appelbaum <jacob@appelbaum.net>, "mrex@sap.com" <mrex@sap.com>
Thread-Topic: [TLS] Encrypting record headers: practical for TLS 1.3 after all?
Thread-Index: AQHRK9MuTTIrlxrBV0e1/10aVzchP560f84AgAB/gYCAAbsZAIAABeoAgAAQlACAAAryAIAAGvsAgAAGsYCAAAhOgIAAHVoAgAAPXYCAAGgdgIABChwAgABzXwCAARCr3g==
Date: Fri, 04 Dec 2015 03:03:56 +0000
Message-ID: <9A043F3CF02CD34C8E74AC1594475C73F4B9865A@uxcn10-5.UoA.auckland.ac.nz>
References: <CAFggDF3cdjG79cd2uLi0oJo1kOhJOY4Fykt021vuZN+08mb3HA@mail.gmail.com> <20151203165344.C639C1A3A0@ld9781.wdf.sap.corp>, <CAFggDF2oJUa=on18GBow1wfQrRnns_tnSP1SLroOfGnNVTpcyg@mail.gmail.com>
In-Reply-To: <CAFggDF2oJUa=on18GBow1wfQrRnns_tnSP1SLroOfGnNVTpcyg@mail.gmail.com>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/dzIs9kyIStHArq_H-gp_ZOYPJb0>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Encrypting record headers: practical for TLS 1.3 after all?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Dec 2015 03:04:06 -0000

Jacob Appelbaum <jacob@appelbaum.net> writes:

>TCP/IP and DNS are out of scope, though obviously related.

Why are they out of scope?  You can't just ignore a threat if it's
inconvenient, you need to look at the overall picture.  Arguing over plugging
a mousehole in the corner of the barn is pointless when two of the four walls
are missing.  As Martin has pointed out:

  There are so many ways and places where the servername WILL be leaked,
  (URLs, bookmarks, HTTP-Header-Fields,  HTTP-Referer headers, etc.) that
  bottom line, encrypting SNI amounts to crazy and pointless idea.

I'm not sure if I'd call it crazy and pointless, just not worthwhile.  You're
leaking server-name information in a great many other locations and ways, and
encrypted SNIs causes so many problems, that the cost/benefit tradeoff doesn't
make it worthwhile (which, I guess, could be classed as "pointless").

Perhaps someone could write an RFC for a play-with-experimental-features TLS
extension, where implementers could encrypt lengths and SNIs and anything else
they want, and then test them out in the real world to see what effect it has.

Peter.