IETF Logo Mail Archive

Re: [TLS] About encrypting SNI

Yoav Nir <ynir.ietf@gmail.com> Wed, 21 May 2014 19:20 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 679541A0836 for <tls@ietfa.amsl.com>; Wed, 21 May 2014 12:20:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ewam0ILhUhXe for <tls@ietfa.amsl.com>; Wed, 21 May 2014 12:20:17 -0700 (PDT)
Received: from mail-wi0-x232.google.com (mail-wi0-x232.google.com [IPv6:2a00:1450:400c:c05::232]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 48CDC1A0830 for <tls@ietf.org>; Wed, 21 May 2014 12:20:17 -0700 (PDT)
Received: by mail-wi0-f178.google.com with SMTP id cc10so3243574wib.5 for <tls@ietf.org>; Wed, 21 May 2014 12:20:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=PPXsCnCGv6ejIhudhYyqgcVIGeCiQV6MlYSX8v8GCns=; b=E1WcBxlXxKv1gTNOySaBKydFRp6kmuk9fOgAe8xaBnbe9kpAEfwy3yx/sbb3HFsABF HUcYqC1D8J2IUP1OLYCOhZ90GUtqwycTxXyMS+cWFWi/R4OLxOHumq3QMFYv8ft6WVg8 wNiDzUAGwKDlGpvDkAfj/cW628RiqVG53NAzdrwtTtAyzhhgGh3hYJgL/pEOTUMr97B3 Z2gU3r0p645oUAZGgjS/70u+OGrRlQ+t5xovQoQFvfzI+yraiFcicbtMZEARGAsDGq5a Wgx4kZtl3Rbl+n70Y2L548ylgymGYJ3qlCQ4agkQ2h+QKmk/6nwGX9e0FY8enDsHiAMk 8Sow==
X-Received: by 10.180.218.163 with SMTP id ph3mr12081611wic.54.1400700015249; Wed, 21 May 2014 12:20:15 -0700 (PDT)
Received: from [192.168.1.100] (bzq-84-109-50-18.red.bezeqint.net. [84.109.50.18]) by mx.google.com with ESMTPSA id rw4sm23670214wjb.44.2014.05.21.12.20.12 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 21 May 2014 12:20:14 -0700 (PDT)
Content-Type: text/plain; charset="windows-1252"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.2\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <m261kzhu5u.fsf@usma1mc-0csx92.kendall.corp.akamai.com>
Date: Wed, 21 May 2014 22:20:07 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <072720CE-6023-4250-A9D7-68A829C4A2FC@gmail.com>
References: <2A0EFB9C05D0164E98F19BB0AF3708C7120A04ED40@USMBX1.msg.corp.akamai.com> <534DB18A.4060408@mit.edu> <CABcZeBOJ7k8Hb9QqCAxJ_uev9g_cb4j361dp7ANvnhOOKsT7NA@mail.gmail.com> <CA+cU71kFo6EihTVUrRRtBYEHbZwCa9nZo-awt4Sub2qXcKHC7g@mail.gmail.com> <m2k3apmjk2.fsf@usma1mc-0csx92.kendall.corp.akamai.com> <CALCETrU6zn52yX=Q-_h4epR6W9+f2oTr3yfyK1sxiwGa2dvWGw@mail.gmail.com> <CAKC-DJgNvF=hhwoyRNkJ3vKz9EZ_JpoM84bCip6eProLwsQsEg@mail.gmail.com> <CALCETrWY_-N+nM9N0_gbeffkX5Jo8vn7XKeFCezGiwq2A74Wjw@mail.gmail.com> <CAKC-DJg6kRLezM+Q60VLY=dBU9C_Q9hb_0u7WD-HHWVJ5Y6tRQ@mail.gmail.com> <CALCETrX7Dv9_+uM7VqotHGurS+k6K5wKzeXEj7zuekd8+0qOJQ@mail.gmail.com> <566E6D8E-ACD5-4B21-9586-84C149F6A1B9@akamai.com> <CALCETrUi+fc9LW1iqx0bFuAsgygmeorR9AnzLN+abGx08y152A@mail.gmail.com> <5204AB60-0B32-4953-9D3D-C2756883D39D@akamai.com> <CALCETrXOaNihRRNQ3RQsctbipAGq67cSUofOm0AOb-YWENFFwQ@mail.gmail.com> <m238hblob1.fsf@usma1mc-0csx92.kendall.corp.akamai.com> <CABcZeBN0i9Su1SuY6AZE7MBbPEPXRKAVQ1k7b+vOJKfpPEw3Ww@mail.gmail.com> <859F43324A6FEC448BFEA30C90405FA9037D56@SEAEMBX02.olympus.F5Net.com> <m2lhu6kgb9.fsf@usma1mc-0csx92.kendall.corp.akamai.com> <15d5a50ed2244e8595edfa57d7055e2b@BY2PR03MB554.namprd03.prod.outlook.com> <m2siobhyk6.fsf@usma1mc-0csx92.kendall.corp.akamai.com> <D1975D91-0823-471D-923E-CC749BAC5FF5@gmail.com> <m261kzhu5u.fsf@usma1mc-0csx92.kendall.corp.akamai.com>
To: Brian Sniffen <bsniffen@akamai.com>
X-Mailer: Apple Mail (2.1878.2)
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/i5oSmVdo7Z7q85nGnNpQeu_UwwY
Cc: "tls@ietf.org" <tls@ietf.org>, Andy Lutomirski <luto@amacapital.net>
Subject: Re: [TLS] About encrypting SNI
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 May 2014 19:20:20 -0000

On May 21, 2014, at 9:18 PM, Brian Sniffen <bsniffen@akamai.com> wrote:

>>>> One challenge is that botnets (that are conduits for most of the
>>>> spam) also have plenty of spare CPU capacity.
>>> 
>>> Yes, but each bad node's CPU capacity only outstrips many good node's
>>> capacities by a little bit---compared to network bandwidth, where
>>> very often botnets outstrip good nodes' capacity by orders of
>>> magnitude.  Of course the bad nodes will beat out cell phone CPUs; a
>>> client puzzle scheme has to be about, in some part, "acceptable
>>> losses."  If we can drop new mobile nodes and the botnet, but keep
>>> service up for (say) established connections and "real" computers,
>>> that may be okay.
>> 
>> I don't have hard data at hand, but my guess is that these days TLS
>> connections from mobile devices far outnumber TLS connections from
>> "real" computers. So that may not be okay.
> 
> 
> That doesn't seem to be the case.  See
> <http://www.akamai.com/html/io/io_dataset_v2.html#stat=browser&top=5&type=bar&start=20140305&end=20140405>.
> That's not for TLS alone, but Chrome + IE + FF is far greater than Mobile
> Safari + Android Webkit + all Others.  Given that, it would be
> surprising if Mobile TLS far outnumbered Desktop TLS.

That page you linked allows you to group by device OS, which shows 58.8% Windows and 8.4% for Mac OS X. There may be some 1% of desktop linux in those “Unknown” or “Other” categories.  So about 2/3 desktop computers.

But this data is for percentage of requests, not connections. I think mobile sites tend to be simpler and contain less resources than full sites,  Also mobile phones tend to run a lot of little apps that keep querying servers in the background, much more than desktop computers do, so it’s possible that in number of handshakes the score is more even. 

There’s also some skew in that an Intel processor running Android is counted as “mobile” but a tablet running Windows RT is counted as “desktop”, but those are still too rare to alter the results.

Yoav

v2.23.0 | Report a Bug | By Email