Re: [TLS] New Draft: Using DNS to set the SNI explicitly
Ben Schwartz <bemasc@google.com> Wed, 08 February 2017 15:57 UTC
Return-Path: <bemasc@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 06996129BF8 for <tls@ietfa.amsl.com>; Wed, 8 Feb 2017 07:57:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Mv7mSPHogEPE for <tls@ietfa.amsl.com>; Wed, 8 Feb 2017 07:57:46 -0800 (PST)
Received: from mail-it0-x22b.google.com (mail-it0-x22b.google.com [IPv6:2607:f8b0:4001:c0b::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 33316129BED for <tls@ietf.org>; Wed, 8 Feb 2017 07:57:46 -0800 (PST)
Received: by mail-it0-x22b.google.com with SMTP id r185so106171577ita.0 for <tls@ietf.org>; Wed, 08 Feb 2017 07:57:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=AcQ/dNLLUOmxgIhgwjKC8+y6nlGaJ9Wkn0KgxZ9a/U8=; b=qV/WyNvQBi6eHPYVEtEuAvdFeBBsDARnWHQWEkwRQxsbQJRRuj/Eduk2GyZPHRKUFt BfxoBiFEZJ7uYDuQibjMvHnNDVPc7eQn99RsdBbIwMWfswEw4IGLwK46Y3lObLVgIgVm IO9I/sdsR25XycPrBlAdDSax6siJ+FVpxmox3wU1KzFbuJA+ZafUNOQatbzhR4bNkVhQ ilBq6hrZRo5XDh1OecWr5W0r3VripclUmT5Kd8YKOdgvSmq7TsmY4bBbZrDsHXW1Zky6 H12VkDxNOH1RXEdjiyZ3zRHKq8w1bec2VpdQCms6V6gOr9el7DS4Nu20o2MCnvw3rdx+ 5y7Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=AcQ/dNLLUOmxgIhgwjKC8+y6nlGaJ9Wkn0KgxZ9a/U8=; b=RhX5fWkqH970qTYN9ErR+LjmpXZIPwhtfEIpTIRJYze1FZnaaOkPtFva4HL6XA28bV ZdTwE6J+r5JJTySmHfkqy5hTGH6tewxazcLSN/BlaEAfhP62TNveLxog3VlHfld4zX2/ /8lB5TDCfg+6fZpLTK3zlG5fuMzlNoOEI4mjE7rAGMfisAm1PoOs+Uox6k2VvlEpcnFc dbJWvxEuz4ln/dAUk+0g4R59MImk+PLMAMjkjXrw/enhziL88xofyp5llahF0Qw1nwF8 JhDMWKdlCTdS7pRJwZrRTPuf424MfhHW6FecrTVHQGJtPrjNKzi9PeKHI1u2JFCQ817h ridA==
X-Gm-Message-State: AIkVDXKrecIiVcFJO0I125nEkhWEeV/8BvOXXc5bza1SZWpuj+fvdUBsCeqRLgnwFfk8b8ddFQDEdjT3ryhrezRt
X-Received: by 10.36.25.83 with SMTP id b80mr17493321itb.98.1486569465429; Wed, 08 Feb 2017 07:57:45 -0800 (PST)
MIME-Version: 1.0
Received: by 10.107.135.164 with HTTP; Wed, 8 Feb 2017 07:57:44 -0800 (PST)
In-Reply-To: <DB1DB8DB-F33A-4435-986E-69628C67C63B@gmail.com>
References: <CAHbrMsCpCH2qSG=cZjMMuWbpzCn8dQhvaTDaRc1riwnYiKGjsg@mail.gmail.com> <DB1DB8DB-F33A-4435-986E-69628C67C63B@gmail.com>
From: Ben Schwartz <bemasc@google.com>
Date: Wed, 08 Feb 2017 10:57:44 -0500
Message-ID: <CAHbrMsDOE6ZwBFeyEZ2CPzJOUohUtemSUKHKUbVfX71rGhR_mg@mail.gmail.com>
To: Yoav Nir <ynir.ietf@gmail.com>
Content-Type: multipart/alternative; boundary="001a11440182ec29ea054806ec0f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/ib5y1eoUh5EOxGBtmSprRWst_iI>
Cc: tls@ietf.org
Subject: Re: [TLS] New Draft: Using DNS to set the SNI explicitly
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Feb 2017 15:57:48 -0000
On Wed, Feb 8, 2017 at 2:12 AM, Yoav Nir <ynir.ietf@gmail.com> wrote: > > On 7 Feb 2017, at 18:12, Ben Schwartz <bemasc@google.com> wrote: > > Hi TLS, > > Like a lot of people here, I'm very interested in ways to reduce the > leakage of users' destinations in the ClientHello's cleartext SNI. It > seems like the past and current proposals to fix the leak are pretty > difficult, involving a lot of careful cryptography and changes to clients > and servers. > > While we're trying to figure that out, I think there's a simple trick that > could help a lot: just let domain owners tell users an alternate SNI in a > DNS entry. > > Here's the full draft: > https://tools.ietf.org/html/draft-schwartz-dns-sni-00 > > If you just want to glance at it, I recommend Figure 2. > > Please read and critique! This is a starting point; the contents will > change based on your input. > > > Hi, Ben > > I’m a little surprised that you depend on RFC 7858 (DNS over TLS), which > is fairly new and lightly deployed, but do not depend on DNSSEC, which is > (slowly) getting traction. > To be clear, the draft only depends on RFC 7858 for privacy, not integrity, against a "near" adversary who otherwise could learn the sensitive information by watching the client's DNS queries. Against that adversary, your proposal here would also need RFC 7858. Against a "far" adversary who can only see traffic to the TLS host, neither proposal needs RFC 7858. If you assign a one fake SNI to each real name, then a determined adversary > (especially the police state) can map the fake SNIs for all domains of > interest and you lose the privacy. > I agree. > If you assign one fake SNI for a bunch of real names, then the best an > adversary can do is to associate a visible SNI with a group of names, some > of which may be innocuous. But I’m thinking, why do we need SNI at all in > the TLS handshake? Obvious answer is to select the right certificate, but > under this scenario the certificate already has to have the names of all > domains possibly hosted on the server. > > So why not instead use secure delegation using signed CNAME records and a > new record (which perhaps should be called “noSNI”). Then the diagram looks > like this: > > * DNS Server Client TLS Server* > * | | |* > * |<===example.com <http://example.com> AAAA?==========| > |* > * |<=_443._tcp.example.com <http://tcp.example.com> NOSNI?=| > |* > * |=example.com <http://example.com> CNAME a7.cdn.net > <http://a7.cdn.net>=>| |* > * |==a7.cdn.net <http://a7.cdn.net> AAAA 2001:db8::1=>| > |* > * |==example.com <http://example.com> NOSNI cdn.net > <http://cdn.net>===>| |* > * | |--------------TCP SYN----------->|* > * | |<------------TCP SYN+ACK---------|* > * | |--------------TCP ACK----------->|* > * | |------ClientHello SNI:none------>|* > * | |<--------- ServerHello ----------|* > * | |<-- Certificate name:cdn.net > <http://cdn.net> ----|* > > And the server works it out using the HOST header as Rich said. Of course > this depends heavily on DNSSEC validation, but it would work with any > version of TLS. > > Yoav > > In the scenario where "the certificate already has to have the names of all domains", I think the draft already covers this without DNSSEC. The server operator can just set an SNI record with empty RDATA for _443._ tcp.example.com, indicating to the user that they should omit SNI. The case where we would need DNSSEC is if the default certificate _doesn't_ include example.com. I agree that supporting such cases would be good, but I don't think the marginal benefit justifies restricting the whole feature to only clients that do DNSSEC validation.
- [TLS] New Draft: Using DNS to set the SNI explici… Ben Schwartz
- Re: [TLS] New Draft: Using DNS to set the SNI exp… Ilari Liusvaara
- Re: [TLS] New Draft: Using DNS to set the SNI exp… Salz, Rich
- Re: [TLS] New Draft: Using DNS to set the SNI exp… Ben Schwartz
- Re: [TLS] New Draft: Using DNS to set the SNI exp… Ben Schwartz
- Re: [TLS] New Draft: Using DNS to set the SNI exp… Christian Huitema
- Re: [TLS] New Draft: Using DNS to set the SNI exp… Salz, Rich
- Re: [TLS] New Draft: Using DNS to set the SNI exp… Ben Schwartz
- Re: [TLS] New Draft: Using DNS to set the SNI exp… Yoav Nir
- Re: [TLS] New Draft: Using DNS to set the SNI exp… Richard Barnes
- Re: [TLS] New Draft: Using DNS to set the SNI exp… Ben Schwartz
- Re: [TLS] New Draft: Using DNS to set the SNI exp… Ben Schwartz
- Re: [TLS] New Draft: Using DNS to set the SNI exp… Ben Schwartz
- Re: [TLS] New Draft: Using DNS to set the SNI exp… Martin Rex
- Re: [TLS] New Draft: Using DNS to set the SNI exp… Ben Schwartz
- Re: [TLS] New Draft: Using DNS to set the SNI exp… Martin Rex
- Re: [TLS] New Draft: Using DNS to set the SNI exp… Ilari Liusvaara
- Re: [TLS] New Draft: Using DNS to set the SNI exp… Martin Rex
- Re: [TLS] New Draft: Using DNS to set the SNI exp… Ryan Sleevi
- Re: [TLS] New Draft: Using DNS to set the SNI exp… Ilari Liusvaara
- Re: [TLS] New Draft: Using DNS to set the SNI exp… Viktor Dukhovni
- Re: [TLS] New Draft: Using DNS to set the SNI exp… Dave Garrett