IETF Logo Mail Archive

Re: [TLS] WGLC for draft-ietf-tls-sni-encryption

Geoffrey Keating <geoffk@geoffk.org> Thu, 18 October 2018 03:09 UTC

Return-Path: <geoffk@geoffk.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B0AC127148 for <tls@ietfa.amsl.com>; Wed, 17 Oct 2018 20:09:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6_Dfp07o3Zhq for <tls@ietfa.amsl.com>; Wed, 17 Oct 2018 20:09:12 -0700 (PDT)
Received: from dragaera.releasedominatrix.com (dragaera.releasedominatrix.com [198.0.208.83]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F2801120072 for <tls@ietf.org>; Wed, 17 Oct 2018 20:09:11 -0700 (PDT)
Received: by dragaera.releasedominatrix.com (Postfix, from userid 501) id 264F533D2CE; Thu, 18 Oct 2018 03:09:11 +0000 (UTC)
Sender: geoffk@localhost.localdomain
To: mrex@sap.com
Cc: Sean Turner <sean@sn3rd.com>, tls@ietf.org
References: <9DE64F7F-4740-4410-A004-373D8919920B@sn3rd.com> <20181017170236.DA9D1404C@ld9781.wdf.sap.corp>
From: Geoffrey Keating <geoffk@geoffk.org>
Date: Wed, 17 Oct 2018 20:09:11 -0700
In-Reply-To: <20181017170236.DA9D1404C@ld9781.wdf.sap.corp>
Message-ID: <m27eigeyso.fsf@localhost.localdomain>
Lines: 29
User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.4
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/eVN1sooQAvQWw-bvAi_CRLH71lc>
Subject: Re: [TLS] WGLC for draft-ietf-tls-sni-encryption
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Oct 2018 03:09:14 -0000

mrex@sap.com (Martin Rex) writes:

> If anyone really thinks that there should be a scheme where a
> server's hostname is no longer transfered in a cleartext (including
> TLS extension SNI), then first of all a *NEW* distinct URI method
> should be defined for that purpose, e.g. "httph://" as a reliable
> indicator to the client processing this URI, that the hostname from
> this URI is not supposed to be sent over the wire in the clear
> *anywhere*.

Although I can see how this, or some other mechanism, might be helpful,
I don't agree it has to happen *first*.  Why can we not start by providing
an ESNI mechanism, and then later standardize a mechanism to require it
for particular hostnames?

A limited-purpose client can just require TLS 1.3 and ESNI for all
connections, so such a mechanism would not be required for that
client.  In the future TLS 1.3 and ESNI deployment may be sufficiently
widespread that all clients could require them, making the mechanism
unnecessary.

Even if ESNI is opportunistic and so subject to active attacks, that
still eliminates passive network sniffing.  Even an active attack
would not (I think) lead to a successful connection, because of the
TLS anti-downgrade features, with consequences including user-visible
error messages or the device deciding the network is non-functional
and ceasing to use it, so although some hostnames may be revealed, the
user or device may stop before revealing all of them.  So ESNI is
still useful even if not mandatory.

v2.23.0 | Report a Bug | By Email