IETF Logo Mail Archive

Re: [TLS] Final nail in the coffin for cleartext SNI/ALPN in TLS 1.3

Ralf Skyper Kaiser <skyper@thc.org> Tue, 12 November 2013 14:56 UTC

Return-Path: <skyper@thc.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0586711E8170 for <tls@ietfa.amsl.com>; Tue, 12 Nov 2013 06:56:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.425
X-Spam-Level:
X-Spam-Status: No, score=-0.425 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RDNS_NONE=0.1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CgCAf2JRqRrD for <tls@ietfa.amsl.com>; Tue, 12 Nov 2013 06:56:28 -0800 (PST)
Received: from mail-ie0-x22a.google.com (mail-ie0-x22a.google.com [IPv6:2607:f8b0:4001:c03::22a]) by ietfa.amsl.com (Postfix) with ESMTP id C010C11E8169 for <tls@ietf.org>; Tue, 12 Nov 2013 06:56:27 -0800 (PST)
Received: by mail-ie0-f170.google.com with SMTP id to1so4681728ieb.15 for <tls@ietf.org>; Tue, 12 Nov 2013 06:56:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=thc.org; s=google; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=cli9yTGWoO6RkT0KszWpMLvOeIT6TXCwRr8ezET2FPg=; b=edGV9CY51OH8pF8aUL7KWe+6E8jQmO9f8Lt9OpyiNW8GFmh0enOeFM5khvv2hvJW4I RwsEBjqQBiirmj9Bz6vflsFdnA+ZZgxdtnSYuIZvFxYm1lO5Di/r+R9VxOQXo18z4Jfo UPeHSF6xIp3mURIy7nQ3D07dqxE/lLwdILMoc=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=cli9yTGWoO6RkT0KszWpMLvOeIT6TXCwRr8ezET2FPg=; b=dX9RzQ2oCj92KQceEAoz/AZi20iyn3iULE02qw5Xu8Rk8EMJteDOe0FKhv9NELP3za hr8CGQ2tDedCRK9E+6hVMT6AysdtAn/16UXDKGTB4pAbtD7bI07sOc3g6ETrLUshEbpq DT5kKFXZWIYNRHKQjOaTGwnfKk/YFKGYZiLKP8HeMd2IIQq0Vq8XJxXtzFKD6z5ghkwo /TD/15tuQMSK5p5vqCXPSCDCaCFFaEdx8g7XCRVvxhb9mBF1/DTz3Kt4SFOGuezW/lYU 32LymDg8nOo/fGKpWfrsLqazfp/WmhACnKvdV2lwFyWpg8RySU3UoVAbumraiin+ccYs LtCw==
X-Gm-Message-State: ALoCoQkVLF0m8e2KRwzZ/5YwGKAlVrIR7X1ig7MXXaLYUUGqRuK9Ctx1peTEElW/2DNZwlFxVKcY
MIME-Version: 1.0
X-Received: by 10.50.106.20 with SMTP id gq20mr15869965igb.36.1384268186198; Tue, 12 Nov 2013 06:56:26 -0800 (PST)
Received: by 10.64.108.163 with HTTP; Tue, 12 Nov 2013 06:56:26 -0800 (PST)
X-Originating-IP: [31.55.54.252]
In-Reply-To: <CAMm+LwjXTc_70PV0L552BTYs7sv37EUjsazbZ_4tddUR6Qd9xg@mail.gmail.com>
References: <CA+BZK2qUE3oS6Sbp1HbKZ7Wgen9gEjjdepON1egLhGqCPpoVBw@mail.gmail.com> <527D3E04.9050206@pobox.com> <CA+BZK2qa3tiHWVQF+DGn5XRRvdWCKYYUMdEEQjOQQpidioFqOw@mail.gmail.com> <CAMm+LwjXTc_70PV0L552BTYs7sv37EUjsazbZ_4tddUR6Qd9xg@mail.gmail.com>
Date: Tue, 12 Nov 2013 14:56:26 +0000
Message-ID: <CA+BZK2pcoZTRbchwPmKV98E06L7-9KqzrBfD1=y+kW8viWpEGw@mail.gmail.com>
From: Ralf Skyper Kaiser <skyper@thc.org>
To: Phillip Hallam-Baker <hallam@gmail.com>
Content-Type: multipart/alternative; boundary="047d7bea3434833d6f04eafc0d1b"
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Final nail in the coffin for cleartext SNI/ALPN in TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Nov 2013 14:56:35 -0000

Hi,

On Tue, Nov 12, 2013 at 2:13 PM, Phillip Hallam-Baker <hallam@gmail.com>wrote:

>
>
>
> On Fri, Nov 8, 2013 at 1:42 PM, Ralf Skyper Kaiser <skyper@thc.org> wrote:
>
>> Hi,
>>
>> absolutely. Encrypted SNI in TLS 1.3 will be received by server prior to
>> selecting a certificate.
>>
>> ALPN could be encrypted as well (same reason, same solution).
>>
>> regards,
>>
>> ralf
>>
>
> What am I missing here, how do you turn on encryption before the client
> sees the encryption credential.
>
>
The certificate does not contain the encryption credentials.
The certificate can be transmitted after encryption has started.

- server/client: negotiate credentials (not certificate), start encryption
- client: send SNI, ...
- server: send certificate, ...
- authenticate (HMAC over all data that has been send and received during
handshake).

(This is incomplete. Please refer to the protocol-flow that Eric showed at
the IETF88 TLS WG gathering.)



>
>
> As for economic issues 'not being a consideration', if the group does not
> make TLS 1.3 viable commercially then either nobody will use it or the
> commercial providers will fork. We have already had two forks in PKIX
> because people refused to consider practicality over ideology.
>

absolutely. The believe is that Tansport-Layer-Security (encrypted SNI)
will be more widely adapted than Transport-Layer-Kind-Of-Security
(cleartext SNI leakage). Surely for those Atheist in Saudi Arabia or the
Alan Turing's in Britain it would be bad to have the SNI leaked....


>
> Multihosting is not becoming less common, it is becoming more so. We
> cannot burn one IPv4 address per session. And if we did the mapping of
> domain to IP address would become 1:1 and the name would leak anyway.
>

correct. That's why we have SNI (encrypted or not. both serve this purpose).


>
> Modern multihosting is dynamic. The provider has no idea which machine a
> site is going to pop up on and it can change from day to day. Any scheme
> that required all certs to be issued by the same provider is going to be
> unacceptable.
>

I agree.

regards,

ralf

v2.23.0 | Report a Bug | By Email