Re: [TLS] Encrypted SNI

Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Tue, 03 July 2018 20:09 UTC

Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F2CE7130E71 for <tls@ietfa.amsl.com>; Tue, 3 Jul 2018 13:09:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xGpz_f6XYqpT for <tls@ietfa.amsl.com>; Tue, 3 Jul 2018 13:09:37 -0700 (PDT)
Received: from mail-oi0-x241.google.com (mail-oi0-x241.google.com [IPv6:2607:f8b0:4003:c06::241]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2C6DE130FCA for <tls@ietf.org>; Tue, 3 Jul 2018 13:09:37 -0700 (PDT)
Received: by mail-oi0-x241.google.com with SMTP id b15-v6so6300941oib.10 for <tls@ietf.org>; Tue, 03 Jul 2018 13:09:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=lb73/9mpxgQLmTJWadEW1dKJG0cvzLBVEUSPAH6w41U=; b=YV1rzkz/cymVzPFoftFtxeHAWTl9g+g60/+NBDg0qTeSi5Op7qudGp93Z9wo0ZyXxN I5fXrAmtDOSUzJb8oNQqwgtipsUFj+g4QOACeMtDenLTl58WMrSbO1NsmuJ6i+WGJd7d RJ5Kt8w9C5YEkqpLJEGsRwgSb2kl8D4GfP+LBaf71JcS5ZoBPbzfzEoa/EoTqnEE1AAN HNeby4uRsDw9b+5sn3qv2uBvzYGyVjR9sG9kh+HVJy4hRDLbXzZ5vwqz4JaepS12jv/9 ojE0/hj6/sDE3RdZzD1BVfHfLg5bSEnoAhW07DKzxZ4FJZY2yjLETC2WoSLFR7b3xHqz UCSQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=lb73/9mpxgQLmTJWadEW1dKJG0cvzLBVEUSPAH6w41U=; b=LEPeyqZsKDL/XqGacJyXEOaMjpc06MXyMfGovQb+0FnUtcutKGwIjdqMiSSRm/O7IG QLlZMac5rUnVu4BgL4IliRUPuqjDq9Qx+iBcE/b2kZ35VYoZEfojIBYEgBKRQ6hYT6Wq dThCKsWM6DENWveRoHAWG8trMMF1GTV5+Xs4C03RDs7Y9wbRnhB3qwtuaKek0SJGxUS6 4OAFnD+GPkYc1rCLuMc1TwdI5TYmP/nuyS9XxpsDsmu3pKhkUsq1Y/AxgoUDgsSWvi8C ehEq3tnRtSvBs7CndZAnTyKfU7l82mAi0NJSCwXSdjr+8W65WVvJM0Xey+06pneiTycy COpA==
X-Gm-Message-State: APt69E0Wg5b71ZcEqw6t85C+dAmmK5pWkuev3nzU8Rly983nqcbxSmdC oVC+ZQCVfv/o20MPuP5UYDxO1xWOYtfYPwF9gH0=
X-Google-Smtp-Source: AAOMgpcCl7mZhfnZoSQRwCmrCCSM4PYCjt8hmRERUz+kMXcrz3OJOc+0NlEeBQt2Cuv2ilmOI5Sg27NujuXOSr3JizU=
X-Received: by 2002:aca:3254:: with SMTP id y81-v6mr9868751oiy.317.1530648576510; Tue, 03 Jul 2018 13:09:36 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:ac9:7ad0:0:0:0:0:0 with HTTP; Tue, 3 Jul 2018 13:08:56 -0700 (PDT)
In-Reply-To: <20180703194903.GA14551@akamai.com>
References: <F4966CAA-454B-4152-A9E5-EA9714978CEA@gmail.com> <20180703194903.GA14551@akamai.com>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Date: Tue, 3 Jul 2018 16:08:56 -0400
Message-ID: <CAHbuEH7Q_njN5_n-CiMB8s4ABg-Lj4jmcc7hxOAuXBzX4U47bA@mail.gmail.com>
To: Benjamin Kaduk <bkaduk=40akamai.com@dmarc.ietf.org>
Cc: Bret Jordan <jordan.ietf@gmail.com>, "<tls@ietf.org>" <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/hsrD4UCNsWVifrzuRwZBf_njYTQ>
Subject: Re: [TLS] Encrypted SNI
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Jul 2018 20:09:43 -0000

On Tue, Jul 3, 2018 at 3:49 PM, Benjamin Kaduk
<bkaduk=40akamai.com@dmarc.ietf.org>; wrote:
> On Tue, Jul 03, 2018 at 11:08:21AM -0600, Bret Jordan wrote:
>> From a discussion on the PATIENT list found here: https://www.ietf.org/mail-archive/web/patient/current/msg00078.html <https://www.ietf.org/mail-archive/web/patient/current/msg00078.html>
>>
>>
>> From my personal perspective, we need to be careful with all of these efforts. It feels like the pendulum has swung so far to one side, the side of privacy-at-any-cost, that we are unknowingly increasing the risk to individuals and organizations by enabling threat actors and intrusions sets to attack networks and clients without any level of protection from the network.
>
> BCP 61 leads us to not expect any protection from the network, does it not?
>
>> It also feels like a lot of these initiatives are being done without adequately involving and ensuring that enterprise networks and critical infrastructure can work with these changes. Question, do we know how these ideas and changes are going to impact an organizations ability to fulfill their requirements for regulatory compliance?
>>
>> If we continue down these paths, then I fear networks will be required to wrap all traffic in some other less secure protocol, outright deny some of these protocols, or be forced to fully proxy all traffic or take an approach that Google has done with their BeyondCorp design.
>
> I suspect you will find that many proponents of the proposals you find
> worrisome would also be enthusiastic proponents of "an approach similar to what
> Google has done with BeyondCorp".  Such a discussion would be off-topic for
> the TLS list, but you would probably be well-served to have some supporting text
> for why this sort of approach should be considered bad, if you want to gain
> sympathy for your perspective.

The proposal came from an AD who just a few moths ago told them not to
worry about these possible changes (see referenced thread on PATIENT
list) that impact their work, so in other words, don't prepare for it,
don't worry about alternate solutions or figuring out ways to better
articulate your use cases.  Then that AD submits the proposal.
Challenging comments are posted and I would expect that there be
sensitivities as to the origin of the draft and making it even more
fair for list participants to comment and understand that this draft
should be treated as any other.

While I agree that additional text and supporting use case information
is needed, there also needs to be an openness to listen to all views
on a proposal.  If there are use cases that are critical for SNI, they
need to surface and be considered.

Best regards,
Kathleen

>
> -Ben
>
>> The IETF work needs to do more outreach with enterprise networks and critical infrastructure and be fundamentally more inclusive. Privacy-at-any-cost is not a holistic design.
>>
>> Thanks,
>> Bret
>> PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
>> "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
>>
>>
>>
>> ### Copied content from the PATIENT discussion ####
>>
>>
>> On Tue, Jul 3, 2018 at 8:09 AM, Kathleen Moriarty <kathleen.moriarty.ietf at gmail.com <mailto:kathleen.moriarty.ietf%20at%20gmail.com>> wrote:
>> On Sun, Mar 18, 2018 at 9:06 AM, Eric Rescorla <ekr at rtfm.com <mailto:ekr%20at%20rtfm.com>> wrote:
>> >
>> >
>> > On Sun, Mar 18, 2018 at 12:54 PM, Tony Rutkowski <tony at yaanatech.co..uk>
>> > wrote:
>> >>
>> >> Your point is one that deserves further discussion, Eric - which seems
>> >> likely to scale rapidly going forward.  It is key.
>> >>
>> >> So how does draft-ietf-tls-sni-encryption it into the argument?
>> >
>> >
>> > As you suggest, SNI encryption is intended to conceal the SNI, which of
>> > course would make SNI inspection difficult.
>> >
>> > My evaluation of the current state of SNI encryption is that given the
>> > current technical state, it will not see particularly wide deployment, with
>> > the primary scenario being "at-risk" sites who are subject to censorship who
>> > either hide behind or co-tenant with sites which are not subject to
>> > censorship. That probably isn't going to be incredibly common right now. Of
>> > course, this is regrettable from the perspective of people designing these
>> > protocols, but I think that's the situation.
>>
>> EKR posted a draft to encrypt SNI, see:
>> https://www.ietf.org/mail-archive/web/tls/current/msg26468.html <https://www.ietf.org/mail-archive/web/tls/current/msg26468.html>
>>
>> It targets the CDNs who host most of the web traffic in the US at
>> least.  The right place to comment on this would be the TLS list of
>> course, but since proposals are being posted, this is a reality and
>> needs to be discussed.  Those using SNI need to make sure their use
>> cases are clear and understood and argue the pros and cons.
>>
>> Kathleen,
>>
>> Thanks for pointing out this draft.
>>
>> As they say, predictions are hard, especially about the future. In March, the ESNI problem looked pretty intractable and then subsequently we had this idea about why it might be workable.
>>
>> -Ekr
>>
>> Best regards,
>> Kathleen
>>
>> >
>> > -Ekr
>> >
>> >> On 18-Mar-18 8:45 AM, Eric Rescorla wrote:
>> >>
>> >> On Sun, Mar 18, 2018 at 12:30 PM, Tony Rutkowski <tony at yaanatech.co.uk <mailto:tony%20at%20yaanatech.co.uk>>
>> >> wrote:
>> >>>
>> >>> Hi Diego,
>> >>>
>> >>> It is also worth referencing a relatively recent Lawfare article on the
>> >>> scaling litigation in the U.S. against those supporting e2e encryption
>> >>> services or capabilities.
>> >>>
>> >>> https://www.lawfareblog.com/did-congress-immunize-twitter-against-lawsuits-supporting-isis <https://www.lawfareblog.com/did-congress-immunize-twitter-against-lawsuits-supporting-isis>
>> >>>
>> >>> This litigation trend is also likely to increase the insurance costs of
>> >>> providers.  Indeed, a provider that supports TLS1.3, QUIC, SNI, etc, may not
>> >>> even be able to get insurance.  It may be fun and games to play crypto rebel
>> >>> in venues like the IETF where the risk exposure is minimal, but when it
>> >>> comes to real world consequences and costs, the equations for providers are
>> >>> rather different.
>> >>
>> >>
>> >> I think this rather overestimates the degree to which both TLS 1.3 and
>> >> QUIC change the equation about what a provider is able to determine from
>> >> traffic inspection. As a practical matter, the primary change from TLS 1.2
>> >> is that the provider does not get to see the server's certificate, but it
>> >> does see the SNI. Given that the SNI contains the identity of the server
>> >> that the client is connected to and that the other identities in the
>> >> certificate are often whatever the provider decided to co-locate on the same
>> >> machine, I'm not sure how much information you are really losing.
>> >>
>> >> -Ekr
>> >>
>> >>>
>> >>>
>> >>>
>> >>> --tony
>> >>>
>> >>>
>> >>> _______________________________________________
>> >>> PATIENT mailing list
>> >>> PATIENT at ietf.org <mailto:PATIENT%20at%20ietf.org>
>> >>> https://www.ietf.org/mailman/listinfo/patient <https://www.ietf.org/mailman/listinfo/patient>
>> >>
>> >>
>> >>
>> >>
>> >> _______________________________________________
>> >> PATIENT mailing list
>> >> PATIENT at ietf.org <mailto:PATIENT%20at%20ietf.org>
>> >> https://www.ietf.org/mailman/listinfo/patient <https://www.ietf.org/mailman/listinfo/patient>
>> >>
>> >>
>> >
>> >
>> > _______________________________________________
>> > PATIENT mailing list
>> > PATIENT at ietf.org <mailto:PATIENT%20at%20ietf.org>
>> > https://www.ietf.org/mailman/listinfo/patient <https://www.ietf.org/mailman/listinfo/patient>
>> >
>>
>>
>>
>> --
>>
>> Best regards,
>> Kathleen
>>
>
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls



-- 

Best regards,
Kathleen