[TLS] Final nail in the coffin for cleartext SNI/ALPN in TLS 1.3

Ralf Skyper Kaiser <skyper@thc.org> Thu, 07 November 2013 16:32 UTC

Return-Path: <skyper@thc.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DDF4F21F9CC2 for <tls@ietfa.amsl.com>; Thu, 7 Nov 2013 08:32:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.425
X-Spam-Level:
X-Spam-Status: No, score=-0.425 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RDNS_NONE=0.1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DdjC29mmBtZb for <tls@ietfa.amsl.com>; Thu, 7 Nov 2013 08:32:52 -0800 (PST)
Received: from mail-ie0-x22b.google.com (mail-ie0-x22b.google.com [IPv6:2607:f8b0:4001:c03::22b]) by ietfa.amsl.com (Postfix) with ESMTP id 0110621F9CA8 for <tls@ietf.org>; Thu, 7 Nov 2013 08:32:51 -0800 (PST)
Received: by mail-ie0-f171.google.com with SMTP id tp5so1187337ieb.2 for <tls@ietf.org>; Thu, 07 Nov 2013 08:32:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=thc.org; s=google; h=mime-version:date:message-id:subject:from:to:content-type; bh=njgYh7HQTmNlpsHxEQjHSJLDlltiPANpLbstWd/x5s8=; b=QpxZte2PkxZcyZAP00NGpdCivDsXvDSPUa8vPaO+ANG3srqfk9IxWOXtzcPSbOW1w6 pje9bpyqC8ckz1CFBYmdDQUc7v3k5QLyt9vWJKKS1J6IBCXXqmUIWw5JimVK9k/VUsG4 g0BQJFBxQ6BB9Bw/FyeQViR2q4/v6YPyFNJhc=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:date:message-id:subject:from:to :content-type; bh=njgYh7HQTmNlpsHxEQjHSJLDlltiPANpLbstWd/x5s8=; b=LmKNvU9qNE66JO6jYwBPimijdguysuYzi/2yRwQ7MwqkrgJcaAXZM99sty+6425ukI ld3QHstw226RDrdqdb6ECAobVveOuesBO1ywDGLMHelSfXLlE4yO1X0VAcE8AyAiphvg bq7CDYh45BpB4TKw/+P2G9+wZjOrwqM34u/I+/m+O8pfopTi+8eCP/e8vdhjWD3TO1jW WATqybo7jE2evsfBsWCzpITiU5wyE4aiH5HKATOnIv05SpBUZe+TqM8e7kYH75Get49u wn7Hbj7bkqmWdSVB8koTcKH2aHFY3ALsMaCWRDEeZil1lyYiXgTX1APzY8L3yHG6hEq3 Akpg==
X-Gm-Message-State: ALoCoQnAh1LL0ERMhIS3nIh9UVmc4fPu9sBKnu4obDIiUOfQ2k5kZcXB7UaXudCnXUMMqHaKcuKt
MIME-Version: 1.0
X-Received: by 10.50.131.163 with SMTP id on3mr2640581igb.46.1383841971053; Thu, 07 Nov 2013 08:32:51 -0800 (PST)
Received: by 10.64.231.100 with HTTP; Thu, 7 Nov 2013 08:32:50 -0800 (PST)
X-Originating-IP: [70.42.240.24]
Date: Thu, 7 Nov 2013 16:32:50 +0000
Message-ID: <CA+BZK2qUE3oS6Sbp1HbKZ7Wgen9gEjjdepON1egLhGqCPpoVBw@mail.gmail.com>
From: Ralf Skyper Kaiser <skyper@thc.org>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary=047d7b2e0d1f1cd61004ea98d12f
Subject: [TLS] Final nail in the coffin for cleartext SNI/ALPN in TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Nov 2013 16:32:59 -0000

Hi,

Thank you for the helpful TLS WG meeting yesterday at
the IETF88 and to the WG for the excellent work on
TLS.


No consensus was reached on ‘Reduced RT handshake with
privacy”.


Some thoughts why SNI (host name) and ALPN should be
transmitted encrypted and not in clear.


1. Meta-data is important. Meta-data tells a lot about a person.
Meta-data can get a user killed or worse. Transmitting the host-name
(meta-data) in clear in TLS is not good (as in ‘not good because it
can get you killed’ and there is no alternative for the user – unless
the user is a tech-wizard.).


2. What is the message to the user? TLS is secure – well, kind’a.
TLS secures some things but that you read freedom4gays.com,
secure.washingtonpost.com or myfavoritepoliticalparty.com is
leaked – but we still call it secure???


3. Governments just love filtering by site. (Block secure.twitter.com
but not blub.com). Same goes for filtering by application (ALPN).
Transmitting this information in clear plays into the hands of the
adversary.



There are other ways how an adversary can extract the same meta-data.
This should not deter us from fixing it in TLS. Maybe we will find a
solution for the other problems as well (like confidential DNS).


Fixing this in TLS increases the cost of surveillance. This is the goal.


An adversary can no longer use passive surveillance to extract SNI/ALPN.
The adversary is forced to do detectable active surveillance to get the
meta-data).


Those who give up security for a little bit of performance neither
deserve security nor performance.



Regards,



Ralf