Re: [TLS] In support of encrypting SNI
Seth David Schoen <schoen@eff.org> Wed, 14 May 2014 20:47 UTC
Return-Path: <schoen@eff.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DFB141A017E for <tls@ietfa.amsl.com>; Wed, 14 May 2014 13:47:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.653
X-Spam-Level:
X-Spam-Status: No, score=-7.653 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.651, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yghOidXC6Ehn for <tls@ietfa.amsl.com>; Wed, 14 May 2014 13:47:14 -0700 (PDT)
Received: from mail2.eff.org (mail2.eff.org [173.239.79.204]) by ietfa.amsl.com (Postfix) with ESMTP id A7BFB1A01B7 for <tls@ietf.org>; Wed, 14 May 2014 13:47:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=eff.org; s=mail2; h=In-Reply-To:Content-Type:MIME-Version:References:Message-ID:Subject:Cc:To:From:Date; bh=yR5IPLxi0u0i59Y+MAc0lK5meJARR1pKvQhb/vQpq7s=; b=nVluqez/x+MSYGaWIUFdvK3xV9IbVBU8f44YUu0JqegsN3adZYsZ8ZyFPMdOjcbPrDyprzN0q3Ycccs93GyMd04O1mq51fk8I/9Yf3d0jxG7W61Nky39j9/qsJNYBT+x17X9YcmY7smRCF4cA4hixp7sGp6hOqhjcvGBXi9eUqw=;
Received: from localhost ([127.0.0.1]:55748 helo=sescenties) by mail2.eff.org with esmtp (Exim 4.80) (envelope-from <schoen@eff.org>) id 1Wkg4x-0006Yr-Rj; Wed, 14 May 2014 13:47:08 -0700
Date: Wed, 14 May 2014 13:47:07 -0700
From: Seth David Schoen <schoen@eff.org>
To: Dan Blah <dan@blah.is>
Message-ID: <20140514204706.GC8392@sescenties.(null)>
References: <5373C4F3.3010602@blah.is>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <5373C4F3.3010602@blah.is>
User-Agent: Mutt/1.5.21 (2010-09-15)
Received-SPF: skipped for local relay
Received-SPF: skipped for local relay
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/jEIk4TKdEeJf1IuIblQm9FBYIbE
Cc: ietf tls <tls@ietf.org>
Subject: Re: [TLS] In support of encrypting SNI
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 May 2014 20:47:17 -0000
Dan Blah writes: > Many of the discussions and subsequent decisions that move forward here > are incredibly important to OTF's work. As such, I wanted to toss in our > support for the coming version of TLS 1.3 to "Encrypt as much of the > handshake as possible". This should include all of the metadata and > TLS-layer routing information. We think by default is important for > those threatened users we work closely with. I would like to add the Electronic Frontier Foundation's support to this view. We have been learning so much recently about the privacy significance of communications metadata. At the time that many basic Internet protocols and mechanisms were created, the cutting edge of privacy was providing merely optional mechanisms to protect session content. We can see today that protocols that were designed with good engineering intentions in their time are nonetheless leaking a lot of data that is, in fact, sensitive. That includes leakages of unique device and user identifiers, which can even be used to track people's physical whereabouts, as well as leakages of other endpoint identifiers -- like the name of a virtual host. In the modern era, it's good practice to be extremely aggressive about minimizing cleartext data leaks in protocols. SNI and other parts of the TLS handshake are one part of that, and it is worth focusing attention on them to try to protect as much user information as possible. The TLS handshake is a target of scrutiny for censorship as well as surveillance purposes. This is particularly significant since some providers have started to host resources for extremely disparate sites and services (creating much more threshold uncertainty for a censor about what a particular user is actually trying to access). Middleboxes are already able to use SNI for censorship purposes today. It's true that equivalent information can leak in other ways, such as through DNS queries. But as Alyssa Rowan previously noted here, the existence of multiple parallel information leakage sources risks creating a "circular argument of doom and defeat" when attempting to fix any of them -- where we might not try to fix DNS query privacy because of the SNI problem, and vice versa! And even today, some adversaries may well be on-path for observing the TLS handshake but not for observing DNS queries, and vice versa. SNI -- and the rest of the handshake -- isn't the most privacy-sensitive source of information leaks in Internet protocols. (That honor might go to MAC addresses, which allow passively recognizing the presence of particular devices at the data link layer, or to any of several mechanisms at the HTTP layer that allow second or third parties to recognize a particular client over time.) But it's still worth trying to address these information leaks in a modern secure communications protocol. -- Seth Schoen <schoen@eff.org> Senior Staff Technologist https://www.eff.org/ Electronic Frontier Foundation https://www.eff.org/join 815 Eddy Street, San Francisco, CA 94109 +1 415 436 9333 x107
- [TLS] In support of encrypting SNI Dan Blah
- Re: [TLS] In support of encrypting SNI Salz, Rich
- Re: [TLS] In support of encrypting SNI Seth David Schoen
- Re: [TLS] In support of encrypting SNI Stephen Farrell
- Re: [TLS] In support of encrypting SNI Watson Ladd
- Re: [TLS] In support of encrypting SNI Michael Carbone
- Re: [TLS] In support of encrypting SNI Fabrice
- Re: [TLS] In support of encrypting SNI Christian Huitema
- Re: [TLS] In support of encrypting SNI Daniel Kahn Gillmor
- Re: [TLS] In support of encrypting SNI Robert Ransom
- Re: [TLS] In support of encrypting SNI Stephen Farrell
- Re: [TLS] In support of encrypting SNI Marsh Ray
- Re: [TLS] In support of encrypting SNI Watson Ladd
- Re: [TLS] In support of encrypting SNI Martin Rex
- Re: [TLS] In support of encrypting SNI Watson Ladd
- Re: [TLS] In support of encrypting SNI Martin Rex
- Re: [TLS] In support of encrypting SNI (off-topic) S Moonesamy
- Re: [TLS] In support of encrypting SNI (off-topic) Michael Carbone
- Re: [TLS] In support of encrypting SNI (off-topic) S Moonesamy