IETF Logo Mail Archive

Re: [TLS] Final nail in the coffin for cleartext SNI/ALPN in TLS 1.3

mrex@sap.com (Martin Rex) Tue, 12 November 2013 00:55 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A09DD21E8133 for <tls@ietfa.amsl.com>; Mon, 11 Nov 2013 16:55:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.182
X-Spam-Level:
X-Spam-Status: No, score=-10.182 tagged_above=-999 required=5 tests=[AWL=0.067, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DYy+yMig5Cnn for <tls@ietfa.amsl.com>; Mon, 11 Nov 2013 16:55:50 -0800 (PST)
Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by ietfa.amsl.com (Postfix) with ESMTP id AA3E911E812A for <tls@ietf.org>; Mon, 11 Nov 2013 16:55:49 -0800 (PST)
Received: from mail06.wdf.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id rAC0tkIo019764 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 12 Nov 2013 01:55:47 +0100 (MET)
In-Reply-To: <CA+BZK2onJUrHPegXwO4TWVaj-tirBnpXxEY32T_VA4SZDcnhJA@mail.gmail.com>
To: Ralf Skyper Kaiser <skyper@thc.org>
Date: Tue, 12 Nov 2013 01:55:46 +0100
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20131112005546.D6E781AA7B@ld9781.wdf.sap.corp>
From: mrex@sap.com
X-SAP: out
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Final nail in the coffin for cleartext SNI/ALPN in TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Nov 2013 00:55:57 -0000

Ralf Skyper Kaiser wrote:
> 
> On Fri, Nov 8, 2013 at 5:02 AM, Martin Rex <mrex@sap.com> wrote:
> >
> > Don't fix it if it ain't broken.
> > SNI was specifically DESIGNED to convey the server name in the clear.
> 
> SNI was NOT DESIGNED to be convey the server name in clear. SNI was
> designed so that the server can pick the right certificate.

SNI was DESIGNED to be in the clear.  In our server implementation,
I have implemented the server-side of SNI only at the application
level, not in the TLS protocol stack, i.e. I select the credential
that is used to perform the TLS handshake _before_ I start the
handshake.


> 
> SNI can be transmitted encrypted and should be transmitted encrypted (see
> recent plenary sessions at IETF88).

What you seem to want to do is not SNI, but something else.


> 
> Martin, with your argument why should we fix anything at all in any product
> or design?

Don't fix it if it ain't broken.  SNI is not broken.


> 
> The proposed solution FIXES passive pervasive surveillance in TLS 1.3.

This is going to be a waste of energy that is only making things
more complex, but neither better nor more secure.


> 
> Let's make pervasive passive surveillance harder.

To me, this is self-illusion.  Why should NSA look at SNI at all?
They're collecting meta-data based on information that is always present
and necessary for the communication to succeed at all.  There are still
lots of clients around which do not send SNI.  And you could send crap
in SNI to servers that don't implement or use SNI, but I strongly doubt
that you would confuse XKeyScore by doing this.


-Martin

v2.23.0 | Report a Bug | By Email