Re: [TLS] Final nail in the coffin for cleartext SNI/ALPN in TLS 1.3
Ralf Skyper Kaiser <skyper@thc.org> Tue, 12 November 2013 10:06 UTC
Return-Path: <skyper@thc.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9C3F721E80BA for <tls@ietfa.amsl.com>; Tue, 12 Nov 2013 02:06:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.452
X-Spam-Level:
X-Spam-Status: No, score=0.452 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_SORBS_DUL=0.877, RDNS_NONE=0.1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JkFiRUF2OI2N for <tls@ietfa.amsl.com>; Tue, 12 Nov 2013 02:06:28 -0800 (PST)
Received: from mail-ie0-x229.google.com (mail-ie0-x229.google.com [IPv6:2607:f8b0:4001:c03::229]) by ietfa.amsl.com (Postfix) with ESMTP id BC53821E80B0 for <tls@ietf.org>; Tue, 12 Nov 2013 02:06:27 -0800 (PST)
Received: by mail-ie0-f169.google.com with SMTP id tp5so3136720ieb.28 for <tls@ietf.org>; Tue, 12 Nov 2013 02:06:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=thc.org; s=google; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=vISWZKic3wjoD0mv7C1sqWAufbhEowuGAzPDA2sQ3Rk=; b=B/Uk2bsf0VHflmejkib0sOerDm3nUAJT4fcDY2OdEAEHuOx4ty2I5im8hurC8H/Fbd TfovHyCo0ONMTp/eJgi5R7/5V6v5YlEpX1EHDroCumDVbnwgoNWLlDFAR5s/YtRjMRKt 2ENipU4kzPi7+3VQEMzhQhQvPvkWmLca0k7Ck=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=vISWZKic3wjoD0mv7C1sqWAufbhEowuGAzPDA2sQ3Rk=; b=Pn0YNRKJzabMnuvPLQSVHFhD6M3SDWRr6W+PUS9gMA2ceQjySY3ybPwgIekBLqAzQu D9O77qf0vn4QqxfPym0J/lVvoKZhBKKI/nRkvN6UHsqhe18JYa5Qbk/IoszVol10tuA3 cGvatCf7JdAJXVmWJhmjSyyphrbFunDF/RvJJNA8lmh1uCCgdvF97QdffTB5Zr4ylcDK kl2QT9DqPonzKnIAtEkT5i0np0XY3x5m4280C3sxRNqw9lc2zKaYPQKk6orokBHN15Ss /ftPviy9foJ26VaLIPSiRh5bzZgY0120tJ/ut7sPNzo8KB+4BY9An2WuRQOwz5LI8Q1P 9fag==
X-Gm-Message-State: ALoCoQknXD0QVxmj6zavDPJ/hloCJIUGZ1APZ0PAhaEKJSZms1xZe5InNk3KN3ibbGho1AVN5J5z
MIME-Version: 1.0
X-Received: by 10.50.128.137 with SMTP id no9mr15222000igb.36.1384250787212; Tue, 12 Nov 2013 02:06:27 -0800 (PST)
Received: by 10.64.108.163 with HTTP; Tue, 12 Nov 2013 02:06:27 -0800 (PST)
X-Originating-IP: [217.39.7.72]
In-Reply-To: <528193BC.9060804@seantek.com>
References: <20131112005546.D6E781AA7B@ld9781.wdf.sap.corp> <528193BC.9060804@seantek.com>
Date: Tue, 12 Nov 2013 10:06:27 +0000
Message-ID: <CA+BZK2qiFM-xruwgRDU8Nf8K7=E6sLytnQYF9xp=VWB9jiuxtQ@mail.gmail.com>
From: Ralf Skyper Kaiser <skyper@thc.org>
To: Sean Leonard <dev+ietf@seantek.com>
Content-Type: multipart/alternative; boundary="047d7b10cf0d73c35a04eaf800b5"
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Final nail in the coffin for cleartext SNI/ALPN in TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Nov 2013 10:06:43 -0000
Hi, Martin, you are right that SNI is currently implemented and transmitted in clear. This was however not the primary design goal but rather a choice of convenience and lack of better/easier ideas. The primary design goal for SNI was to allow multi-homing HTTPS servers on the same IP (so that apache can select the correct x509 certificate for whatever site the client requested). There is no practical or security benefit or transmitting SNI in clear. Sean, your argument "but DNS leaks infos as well, and the attacker can do reverse lookups, ..." etc are valid but shall not prevent us from fixing these problems one by one. DNS will support confidentiality. Reverse lookups do not work on multi-homed SSL servers [you only get 1 host name back but not 1,000 domains hosted on that host], .. etc etc). I hear you loud and clear that a more work on other protocols (including DNS) has to done to prevent leaking of domain names. I agree. Let's start with TLS and SNI. regards, ralf On Tue, Nov 12, 2013 at 2:34 AM, Sean Leonard <dev+ietf@seantek.com> wrote: > On 11/11/2013 4:55 PM, Martin Rex wrote: > >> Ralf Skyper Kaiser wrote: >> >> SNI can be transmitted encrypted and should be transmitted encrypted (see >>> recent plenary sessions at IETF88). >>> >> What you seem to want to do is not SNI, but something else. >> >> >> Martin, with your argument why should we fix anything at all in any >>> product >>> or design? >>> >> Don't fix it if it ain't broken. SNI is not broken. >> >> >> The proposed solution FIXES passive pervasive surveillance in TLS 1.3. >>> >> [...] >> >> Let's make pervasive passive surveillance harder. >>> >> To me, this is self-illusion. Why should NSA look at SNI at all? >> > > Okay so here's the thing. A passive observer of the network can probably > figure out that a particular TLS connection is intended for a particular > hostname. > > The client and server IP addresses are in the clear. No question. > > To figure out the server's IP address from its hostname, the client must > do a DNS lookup. This will be in the clear. Even if a particular client > doesn't go over the (surveiled) public Internet to do the DNS lookup (due > to local DNS server caching), for any nontrivial amount of connections, the > DNS record will float through the public Internet in the clear at some > point. > > Thus an eavesdropper can easily correlate the reverse lookup, IP address > -> hostname(s), in a minimal amount of time. > > So, the fact that SNI is in the clear, is not really leaking additional > information that a passive (but consistent and pervasive) eavesdropper > would have figured out in the first place. > > Unless of course you are using SNI to stuff in side-channel information > (i.e., something other than a hostname)...but then you are not obeying the > SNI protocol in the first place. > > FWIW, I would prefer that all metadata (whether SNI or otherwise) not be > in the clear. But as Martin Rex said, it being in the clear is not fatal to > security. > > -Sean > > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > >
- Re: [TLS] Final nail in the coffin for cleartext … Martin Rex
- Re: [TLS] Final nail in the coffin for cleartext … Martin Rex
- [TLS] Final nail in the coffin for cleartext SNI/… Ralf Skyper Kaiser
- Re: [TLS] Final nail in the coffin for cleartext … Watson Ladd
- Re: [TLS] Final nail in the coffin for cleartext … Ralf Skyper Kaiser
- Re: [TLS] Final nail in the coffin for cleartext … Yoav Nir
- Re: [TLS] Final nail in the coffin for cleartext … Salz, Rich
- Re: [TLS] Final nail in the coffin for cleartext … Ryan Hurst
- Re: [TLS] Final nail in the coffin for cleartext … Martin Rex
- Re: [TLS] Final nail in the coffin for cleartext … Daniel Kahn Gillmor
- Re: [TLS] Final nail in the coffin for cleartext … Ralf Skyper Kaiser
- Re: [TLS] Final nail in the coffin for cleartext … Yoav Nir
- Re: [TLS] Final nail in the coffin for cleartext … Yoav Nir
- Re: [TLS] Final nail in the coffin for cleartext … Seth David Schoen
- Re: [TLS] Final nail in the coffin for cleartext … Ralf Skyper Kaiser
- Re: [TLS] Final nail in the coffin for cleartext … Watson Ladd
- Re: [TLS] Final nail in the coffin for cleartext … Salz, Rich
- Re: [TLS] Final nail in the coffin for cleartext … Yoav Nir
- Re: [TLS] Final nail in the coffin for cleartext … Martin Rex
- Re: [TLS] Final nail in the coffin for cleartext … Ralf Skyper Kaiser
- Re: [TLS] Final nail in the coffin for cleartext … Michael D'Errico
- Re: [TLS] Final nail in the coffin for cleartext … Jacob Appelbaum
- Re: [TLS] Final nail in the coffin for cleartext … Ralf Skyper Kaiser
- Re: [TLS] Final nail in the coffin for cleartext … Michael D'Errico
- Re: [TLS] Final nail in the coffin for cleartext … Ralf Skyper Kaiser
- Re: [TLS] Final nail in the coffin for cleartext … Martin Rex
- Re: [TLS] Final nail in the coffin for cleartext … Sean Leonard
- Re: [TLS] Final nail in the coffin for cleartext … Ralf Skyper Kaiser
- Re: [TLS] Final nail in the coffin for cleartext … Juho Vähä-Herttua
- Re: [TLS] Final nail in the coffin for cleartext … Yoav Nir
- Re: [TLS] Final nail in the coffin for cleartext … Ralf Skyper Kaiser
- Re: [TLS] Final nail in the coffin for cleartext … Phillip Hallam-Baker
- Re: [TLS] Final nail in the coffin for cleartext … Daniel Kahn Gillmor
- Re: [TLS] Final nail in the coffin for cleartext … Ralf Skyper Kaiser
- Re: [TLS] Final nail in the coffin for cleartext … Martin Rex
- Re: [TLS] Final nail in the coffin for cleartext … Daniel Kahn Gillmor
- Re: [TLS] Final nail in the coffin for cleartext … Juho Vähä-Herttua
- Re: [TLS] Final nail in the coffin for cleartext … Ralf Skyper Kaiser
- Re: [TLS] Final nail in the coffin for cleartext … Yoav Nir
- Re: [TLS] Final nail in the coffin for cleartext … Martin Rex
- Re: [TLS] Final nail in the coffin for cleartext … Martin Rex
- Re: [TLS] Final nail in the coffin for cleartext … Ralf Skyper Kaiser
- Re: [TLS] Final nail in the coffin for cleartext … Bodo Moeller
- Re: [TLS] Final nail in the coffin for cleartext … Marsh Ray
- Re: [TLS] Final nail in the coffin for cleartext … Ralf Skyper Kaiser
- Re: [TLS] Final nail in the coffin for cleartext … Geoffrey Keating