IETF Logo Mail Archive

Re: [TLS] In support of encrypting SNI

Seth David Schoen <schoen@eff.org> Wed, 14 May 2014 20:47 UTC

Return-Path: <schoen@eff.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DFB141A017E for <tls@ietfa.amsl.com>; Wed, 14 May 2014 13:47:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.653
X-Spam-Level:
X-Spam-Status: No, score=-7.653 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.651, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yghOidXC6Ehn for <tls@ietfa.amsl.com>; Wed, 14 May 2014 13:47:14 -0700 (PDT)
Received: from mail2.eff.org (mail2.eff.org [173.239.79.204]) by ietfa.amsl.com (Postfix) with ESMTP id A7BFB1A01B7 for <tls@ietf.org>; Wed, 14 May 2014 13:47:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=eff.org; s=mail2; h=In-Reply-To:Content-Type:MIME-Version:References:Message-ID:Subject:Cc:To:From:Date; bh=yR5IPLxi0u0i59Y+MAc0lK5meJARR1pKvQhb/vQpq7s=; b=nVluqez/x+MSYGaWIUFdvK3xV9IbVBU8f44YUu0JqegsN3adZYsZ8ZyFPMdOjcbPrDyprzN0q3Ycccs93GyMd04O1mq51fk8I/9Yf3d0jxG7W61Nky39j9/qsJNYBT+x17X9YcmY7smRCF4cA4hixp7sGp6hOqhjcvGBXi9eUqw=;
Received: from localhost ([127.0.0.1]:55748 helo=sescenties) by mail2.eff.org with esmtp (Exim 4.80) (envelope-from <schoen@eff.org>) id 1Wkg4x-0006Yr-Rj; Wed, 14 May 2014 13:47:08 -0700
Date: Wed, 14 May 2014 13:47:07 -0700
From: Seth David Schoen <schoen@eff.org>
To: Dan Blah <dan@blah.is>
Message-ID: <20140514204706.GC8392@sescenties.(null)>
References: <5373C4F3.3010602@blah.is>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <5373C4F3.3010602@blah.is>
User-Agent: Mutt/1.5.21 (2010-09-15)
Received-SPF: skipped for local relay
Received-SPF: skipped for local relay
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/jEIk4TKdEeJf1IuIblQm9FBYIbE
Cc: ietf tls <tls@ietf.org>
Subject: Re: [TLS] In support of encrypting SNI
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 May 2014 20:47:17 -0000

Dan Blah writes:

> Many of the discussions and subsequent decisions that move forward here
> are incredibly important to OTF's work. As such, I wanted to toss in our
> support for the coming version of TLS 1.3 to "Encrypt as much of the
> handshake as possible". This should include all of the metadata and
> TLS-layer routing information. We think by default is important for
> those threatened users we work closely with.

I would like to add the Electronic Frontier Foundation's support to
this view.  We have been learning so much recently about the privacy
significance of communications metadata.  At the time that many basic
Internet protocols and mechanisms were created, the cutting edge of
privacy was providing merely optional mechanisms to protect session
content.

We can see today that protocols that were designed with good engineering
intentions in their time are nonetheless leaking a lot of data that
is, in fact, sensitive.  That includes leakages of unique device and
user identifiers, which can even be used to track people's physical
whereabouts, as well as leakages of other endpoint identifiers -- like
the name of a virtual host.  In the modern era, it's good practice to be
extremely aggressive about minimizing cleartext data leaks in protocols.
SNI and other parts of the TLS handshake are one part of that, and it
is worth focusing attention on them to try to protect as much user
information as possible.

The TLS handshake is a target of scrutiny for censorship as well as
surveillance purposes.  This is particularly significant since some
providers have started to host resources for extremely disparate sites
and services (creating much more threshold uncertainty for a censor about
what a particular user is actually trying to access).  Middleboxes are
already able to use SNI for censorship purposes today.

It's true that equivalent information can leak in other ways, such
as through DNS queries.  But as Alyssa Rowan previously noted here,
the existence of multiple parallel information leakage sources risks
creating a "circular argument of doom and defeat" when attempting to fix
any of them -- where we might not try to fix DNS query privacy because of
the SNI problem, and vice versa!  And even today, some adversaries may
well be on-path for observing the TLS handshake but not for observing
DNS queries, and vice versa.

SNI -- and the rest of the handshake -- isn't the most privacy-sensitive
source of information leaks in Internet protocols.  (That honor might
go to MAC addresses, which allow passively recognizing the presence of
particular devices at the data link layer, or to any of several mechanisms
at the HTTP layer that allow second or third parties to recognize a
particular client over time.)  But it's still worth trying to address
these information leaks in a modern secure communications protocol.

-- 
Seth Schoen  <schoen@eff.org>
Senior Staff Technologist                       https://www.eff.org/
Electronic Frontier Foundation                  https://www.eff.org/join
815 Eddy Street, San Francisco, CA  94109       +1 415 436 9333 x107

v2.23.0 | Report a Bug | By Email