IETF Logo Mail Archive

Re: [TLS] New Draft: Using DNS to set the SNI explicitly

Richard Barnes <rlb@ipv.sx> Wed, 08 February 2017 14:06 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 25252129ADE for <tls@ietfa.amsl.com>; Wed, 8 Feb 2017 06:06:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z7YzFM0JNlAC for <tls@ietfa.amsl.com>; Wed, 8 Feb 2017 06:06:21 -0800 (PST)
Received: from mail-ua0-x22a.google.com (mail-ua0-x22a.google.com [IPv6:2607:f8b0:400c:c08::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 66D0C129AE1 for <tls@ietf.org>; Wed, 8 Feb 2017 06:06:14 -0800 (PST)
Received: by mail-ua0-x22a.google.com with SMTP id i68so109738227uad.0 for <tls@ietf.org>; Wed, 08 Feb 2017 06:06:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=nWo83wja/qS+LKaSCZ6X8+XiMlffwbj39IjvMqw2/tU=; b=TKWN4yXfSh0foJq6dWQulyu1MfDnX9iFKc0kZwX+ublm7LMnnmwX7JKgBBPKbJpeDY EupYEFor0pKDXDXa0wMl9cQUwC0hADr7NHhLiOGEcsWXAnrCDe5dqDSnppjFTqxPi88p QvJ8Q1hDfSOK2/Kz9Z7ppEOavAkfuwl9K0YAQRIvFCnFA8g8wWjtDbCcbUF6Fm5dseUO YTieL37lf8hkakrtZ1jvxs72my6USeJKr1vRwXzqo97mN2OtkKXSy3m2RTc2PdgaZj+S dCLvBaZQfMz502tIiKiHiqx91AUgYvjCArXtxup1IpvUTWJyogtAlGo4qcBS6/3obBvT jXMw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=nWo83wja/qS+LKaSCZ6X8+XiMlffwbj39IjvMqw2/tU=; b=f/BoOTB0mYaG3mnoYzHWhENP9TDtLOVmwFRf44BizKHaYauHJpzDRUVQG3JMTkVMdr Zb8A5kVTf2eSGbqG+YvFc1h5Dg1894FL0RUhfV5gNaoqRlen3aTknckPKKwfn9jCG+Cb HG1pcvmSXeoIwS/YOe9s9C75JYWSM/5twqy7Qdnh0oI0OWgaZFpiNygvKP7TbO+br+Ju 1V3rdXX0MGdhBrjic+lA9B53omlM2ov64nn1UpZVzN1z821/RJlDUJP5BoXKFONJwMHu Sop76PijXP9WFKdFv+mNfJfoyFLhHlsT4JQapo2e3HTlIB7rk0tFlL9lhuEuqZM/Y+Bf 1RoQ==
X-Gm-Message-State: AIkVDXKjwkoKBSGUre1q+85izxo4lFnURrQhy3zKOJpT5guL6nmDMOsbv/6nSwe3QF4MBn4YHb+7SpXumtqSzA==
X-Received: by 10.176.82.93 with SMTP id j29mr8734293uaa.57.1486562773411; Wed, 08 Feb 2017 06:06:13 -0800 (PST)
MIME-Version: 1.0
Received: by 10.31.179.140 with HTTP; Wed, 8 Feb 2017 06:06:12 -0800 (PST)
In-Reply-To: <DB1DB8DB-F33A-4435-986E-69628C67C63B@gmail.com>
References: <CAHbrMsCpCH2qSG=cZjMMuWbpzCn8dQhvaTDaRc1riwnYiKGjsg@mail.gmail.com> <DB1DB8DB-F33A-4435-986E-69628C67C63B@gmail.com>
From: Richard Barnes <rlb@ipv.sx>
Date: Wed, 08 Feb 2017 09:06:12 -0500
Message-ID: <CAL02cgSbO=mjbjXFPtMCy8JQwF+vP7+JAtBWkUEP-_atbqO2oA@mail.gmail.com>
To: Yoav Nir <ynir.ietf@gmail.com>
Content-Type: multipart/alternative; boundary="94eb2c1916a40bf1c70548055ecb"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/iDq0y2vK8q8jTWkKBq8y7C6jVsM>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] New Draft: Using DNS to set the SNI explicitly
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Feb 2017 14:06:23 -0000

For me, the main drawback here (besides the futuristic assumptions), is the
continued reliance on the DNS infrastructure.  Even when using TLS, the DNS
is architecturally hostile to privacy, e.g., due to resolvers operated by
ISPs or the client subnet extension.

I'm sympathetic to the desire to get SNI off the wire or render it
meaningless, but much more interested in solutions where information about
reachability flows over paths that align with application-layer
relationships (vs. lower layers), since these tend to align better with the
parties that an endpoint already has to reveal its interests to.

For example, the proposed HTTP ORIGIN frame [1] allows a web server to
declare itself available to serve origins other than the one the client
connected to, so that the client doesn't have to initiate new TLS
connections for those origins.  That doesn't eliminate the SNI problem, but
it can reduce it in some cases by a couple orders of magnitude.

--Richard

[1] https://tools.ietf.org/html/draft-ietf-httpbis-origin-frame-01


On Wed, Feb 8, 2017 at 2:12 AM, Yoav Nir <ynir.ietf@gmail.com> wrote:

>
> On 7 Feb 2017, at 18:12, Ben Schwartz <bemasc@google.com> wrote:
>
> Hi TLS,
>
> Like a lot of people here, I'm very interested in ways to reduce the
> leakage of users' destinations in the ClientHello's cleartext SNI.  It
> seems like the past and current proposals to fix the leak are pretty
> difficult, involving a lot of careful cryptography and changes to clients
> and servers.
>
> While we're trying to figure that out, I think there's a simple trick that
> could help a lot: just let domain owners tell users an alternate SNI in a
> DNS entry.
>
> Here's the full draft:
> https://tools.ietf.org/html/draft-schwartz-dns-sni-00
>
> If you just want to glance at it, I recommend Figure 2.
>
> Please read and critique!  This is a starting point; the contents will
> change based on your input.
>
>
> Hi, Ben
>
> I’m a little surprised that you depend on RFC 7858 (DNS over TLS), which
> is fairly new and lightly deployed, but do not depend on DNSSEC, which is
> (slowly) getting traction.
>
> If you assign a one fake SNI to each real name, then a determined
> adversary (especially the police state) can map the fake SNIs for all
> domains of interest and you lose the privacy.
>
> If you assign one fake SNI for a bunch of real names, then the best an
> adversary can do is to associate a visible SNI with a group of names, some
> of which may be innocuous. But I’m thinking, why do we need SNI at all in
> the TLS handshake?  Obvious answer is to select the right certificate, but
> under this scenario the certificate already has to have the names of all
> domains possibly hosted on the server.
>
> So why not instead use secure delegation using signed CNAME records and a
> new record (which perhaps should be called “noSNI”). Then the diagram looks
> like this:
>
> *  DNS Server                      Client                      TLS Server*
> *     |                               |                                 |*
> *     |<===example.com <http://example.com> AAAA?==========|
>                   |*
> *     |<=_443._tcp.example.com <http://tcp.example.com> NOSNI?=|
>                       |*
> *     |=example.com <http://example.com> CNAME a7.cdn.net
> <http://a7.cdn.net>=>|                                 |*
> *     |==a7.cdn.net <http://a7.cdn.net> AAAA 2001:db8::1=>|
>                   |*
> *     |==example.com <http://example.com> NOSNI cdn.net
> <http://cdn.net>===>|                                 |*
> *     |                               |--------------TCP SYN----------->|*
> *     |                               |<------------TCP SYN+ACK---------|*
> *     |                               |--------------TCP ACK----------->|*
> *     |                               |------ClientHello SNI:none------>|*
> *     |                               |<--------- ServerHello ----------|*
> *     |                               |<-- Certificate name:cdn.net
> <http://cdn.net> ----|*
>
> And the server works it out using the HOST header as Rich said.  Of course
> this depends heavily on DNSSEC validation, but it would work with any
> version of TLS.
>
> Yoav
>
>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
>

v2.23.0 | Report a Bug | By Email