IETF Logo Mail Archive

Re: [TLS] WGLC for draft-ietf-tls-sni-encryption

Mark O <Mark.O@ncsc.gov.uk> Wed, 31 October 2018 18:13 UTC

Return-Path: <Mark.O@ncsc.gov.uk>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7323F12F1A5 for <tls@ietfa.amsl.com>; Wed, 31 Oct 2018 11:13:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.47
X-Spam-Level:
X-Spam-Status: No, score=-2.47 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.47, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ncsc.gov.uk
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xpLL0xYGXXL9 for <tls@ietfa.amsl.com>; Wed, 31 Oct 2018 11:13:08 -0700 (PDT)
Received: from GBR01-CWL-obe.outbound.protection.outlook.com (mail-cwlgbr01on0710.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe14::710]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 529BA129C6A for <tls@ietf.org>; Wed, 31 Oct 2018 11:13:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ncsc.gov.uk; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=43JpoDC4jgDGpkjJZp/OwAzb/X65rnFrSydoi6Ex2NI=; b=jJIdJPes0SaStopLKJAenuCvnZ/CTYhMzHygsTSoglwfGMj7zFf6BHtWZebynBEI15yn7e03vu194L7n5Pe6LhSpzVrggSJoJI0o7k+nQPLXVEBta9zTcaprV+eQTT5vIqzqxitZOypUJhqzbwYFBYxpzQiWHkOJafGIXI5O0Ug=
Received: from LOXP123MB1416.GBRP123.PROD.OUTLOOK.COM (10.166.255.18) by LOXP123MB0903.GBRP123.PROD.OUTLOOK.COM (10.166.250.152) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1273.21; Wed, 31 Oct 2018 18:13:04 +0000
Received: from LOXP123MB1416.GBRP123.PROD.OUTLOOK.COM ([fe80::f53d:62f8:a3d1:6993]) by LOXP123MB1416.GBRP123.PROD.OUTLOOK.COM ([fe80::f53d:62f8:a3d1:6993%3]) with mapi id 15.20.1294.021; Wed, 31 Oct 2018 18:13:04 +0000
From: Mark O <Mark.O@ncsc.gov.uk>
To: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: Re: [TLS] WGLC for draft-ietf-tls-sni-encryption
Thread-Index: AdRxQNI4EhytS2rkQ02oC4kfiidOng==
Date: Wed, 31 Oct 2018 18:13:04 +0000
Message-ID: <LOXP123MB14163C2F40F312AA252FDE46D3CD0@LOXP123MB1416.GBRP123.PROD.OUTLOOK.COM>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Mark.O@ncsc.gov.uk;
x-originating-ip: [51.140.78.31]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; LOXP123MB0903; 6:SbEHwTNIzrzbgB+QvCT3Fe25DVolaVrwpj+5TUbyHgEBYcX+kghP83noyOtai041S9E9punsD4Onq+2+oT63Pi7MAHbzgD8nd0bvINN+xX0MpeM2jkHOI3SXuqJWbAWZt7w78PuJra+HqgnrhO6L1WUn5s8qscoQVNO2y4FzVGehndrvgP3dKnSyppZr2m5F/5gCblvTXPy+Y4CVXPXbaOA3Xcn5rewzufF1JX1NNYA5sN+ejqiKSPSvNl808ncPBCgRISmqpWuH7C1PxcgRaSNhxEPrFshmNUd1mFMspSDXKcIDKGXcJbQi/CEJ5gLYoVtdBFBsY5u2YFy9nFJNDvZep5g0iAyEOcTtByHPdqP0+yh9rH0eCWC1UU88mLfz3djvOnLqYE1SQFGSFE8t0bZTPH4+NpUD88HoV/HEKEoHkMQm3kROSDwq4si1WFjHH56PotIeQF3nMIYPntnAnQ==; 5:Fhgr/VQPVasomY05CZ4MJFPxsZwflRvNi29HTNwq7VZ1YV96W+yLCoxcSwg078bN7JNCwYGpy8ErYH/VQ55Qi7ZkeQbVYp4oUosXOSiXipjdjVKmiX3YwcF+BbG+C1Jh5eUPrYXK3s/rfXqjuSBNp81+N99ShRDMtbrkI+v/6y8=; 7:+P9+HE2hg8y08TFkYkbfVlnVraK5WnPynh9ASrwGRRYJty7rAolHJyNTOebI8MLWg+Sz1PHlk1x+4+yzE/9p6ZdMv9jT1aq2mPY7itqfaS+W2w4wr6roiBC/zF1rUSHlu+mdrLtHfZemfZV/LxmS6Q==
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 54108cff-de9f-445b-51a0-08d63f5c809a
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989299)(4534185)(7168020)(4627221)(201703031133081)(201702281549075)(8990200)(5600074)(711020)(2017052603328)(7153060)(7193020); SRVR:LOXP123MB0903;
x-ms-traffictypediagnostic: LOXP123MB0903:
x-microsoft-antispam-prvs: <LOXP123MB0903A9ACB0E2E0F648E3E6BBD3CD0@LOXP123MB0903.GBRP123.PROD.OUTLOOK.COM>
x-exchange-antispam-report-test: UriScan:(72170088055959)(192374486261705)(158342451672863)(27231711734898)(21748063052155)(28532068793085)(190501279198761)(227612066756510);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(8121501046)(5005006)(10201501046)(3002001)(93006095)(93001095)(3231382)(944501410)(52105095)(148016)(149066)(150057)(6041310)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123558120)(20161123562045)(20161123564045)(20161123560045)(201708071742011)(7699051)(76991095); SRVR:LOXP123MB0903; BCL:0; PCL:0; RULEID:; SRVR:LOXP123MB0903;
x-forefront-prvs: 084285FC5C
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(366004)(346002)(376002)(136003)(396003)(39850400004)(199004)(189003)(72206003)(14454004)(5630700001)(5250100002)(5660300001)(2501003)(7696005)(6916009)(478600001)(229853002)(102836004)(55236004)(14444005)(256004)(6506007)(97736004)(6116002)(3846002)(790700001)(186003)(486006)(316002)(75922002)(2900100001)(99286004)(2351001)(105586002)(86362001)(106356001)(66066001)(25786009)(33656002)(9686003)(5640700003)(54896002)(6306002)(68736007)(53936002)(55016002)(6246003)(476003)(26005)(8936002)(71200400001)(71190400001)(7736002)(74316002)(74482002)(8676002)(81156014)(81166006)(1730700003)(6436002)(2906002); DIR:OUT; SFP:1102; SCL:1; SRVR:LOXP123MB0903; H:LOXP123MB1416.GBRP123.PROD.OUTLOOK.COM; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: ncsc.gov.uk does not designate permitted sender hosts)
x-microsoft-antispam-message-info: hh/7E8JPxVUGSbd7z1LCYIk+Fq6AO6GMgz2/pJMwfdWnblvGN+e+5I4dUyfKSgE2IR0f81oinEH/lhChAIu4px3xP7+xTnlFh/t9ytPh1nqTX5I08NmVsa/NLDVNmP3UlcF5vBkwaib8s+oDnta3wj3PCBYWwx8QiBRetnAj2dB9K0AOMGfZGGf4oC5ck9MTA0Y2Y/RIHAFohOiK/ZgqnKiAHXsBG/ukg31KeRWxPLV8H2izlPlapOCdyaKFtlerObPdU4/9fCcobZFTwRodv8n7O1xeZpWLp3tYj4t6L4JxNdqR9+dwSH4DCNpH9ECw1oQtzSMpd8WeuZ6a6MVH9t5kGsPdrszoBXTpySCM03o=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_LOXP123MB14163C2F40F312AA252FDE46D3CD0LOXP123MB1416GBRP_"
MIME-Version: 1.0
X-OriginatorOrg: ncsc.gov.uk
X-MS-Exchange-CrossTenant-Network-Message-Id: 54108cff-de9f-445b-51a0-08d63f5c809a
X-MS-Exchange-CrossTenant-originalarrivaltime: 31 Oct 2018 18:13:04.4900 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 14aa5744-ece1-474e-a2d7-34f46dda64a1
X-MS-Exchange-Transport-CrossTenantHeadersStamped: LOXP123MB0903
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/jYS7nOvWOMFHksVIAmo2ndCD6OA>
Subject: Re: [TLS] WGLC for draft-ietf-tls-sni-encryption
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Oct 2018 18:13:12 -0000

Some comments on draft-ietf-tls-sni-encryption-03:

Section 2.3 "End-to-end alternatives"
"Enterprises can deploy monitoring software to control usage of the enterprises [sic] computers."
At the moment enterprises have the option of installing a firewall performing SNI filtering to black-list connections to certain websites. With SNI encryption this becomes ineffective. This draft should describe the privacy impact of enterprises adopting the proposed mitigation strategy of deploying monitoring software.  Similarly, the privacy impact of introducing "opt in" filtering of DNS and packet marking to determine QoS should be addressed. The privacy gains of encrypting SNI need to be weighed against the privacy losses of adopting these mitigations and at the moment this draft does not do that.


Section 3.6 "Proper security context"
This section currently describes one class of solutions where there is a single TLS handshake between the client and the multiplexed server or fronting service, but there is another class, where the TLS handshake is between the client and the protected service. The text in this section should be expanded to encompass both classes (or it could be written as two separate sections if clearer). The text should also draw out that the client and the protected service are placing a great deal of trust in the fronting service, which becomes a very powerful part of the network and hence a very attractive target for attackers or malicious operators.

As a suggestion, consider the following alternative text for section 3.6:


We can design solutions in which the multiplexed server or a fronting service act as a relay to reach the protected service. Some of those solutions involve just one TLS handshake between the client and the multiplexed server (or fronting service). Others involve just one TLS handshake between the client and the protected service.

In the first case, the master secret is verified by verifying a certificate provided by the multiplexed server (or fronting service), but not by the protected service. In the second case, the master secret is verified by verifying a certificate provided by the protected service.

In the first case, the client is exposed to a Man-In-The-Middle attack by the multiplexed server (or fronting service). The client does not verify the identity of the protected service, and thus data exchanged between the client and the protected service can be learned by the attacker. In the second case, the client does not verify the identity of the multiplexed server (or fronting service), thus it is possible for an attacker to perform a Man-In-The-Middle attack between the client and the multiplexed server (or fronting service). Thus it would be possible for the attacker to learn the identity of the protected service.

These designs require that the client has some reasonable trust in these fronting services. If the fronting service is acting maliciously, it may re-direct the client's TLS connection to another service other than the intended protected service. The service receiving the client's TLS connection may not have any way of verifying that the client intended to reach that particular service if it is not able to decrypt the client's SNI; thus the protected service also has to have reasonable trust in the fronting service. If the fronting service is not strongly authenticated, it can be spoofed by an adversary or be subject to MITM attack.

The multiplexed server or the fronting services could be pressured by adversaries. By design, they could be forced to deny access to the protected service, or to divulge which client accessed it. But if MITM is possible, the adversaries would also be able to pressure them into intercepting or spoofing the communications between client and protected service.

These approaches therefore concentrate trust in the multiplexed servers and fronting services, making them attractive targets for adversaries, or for operators of these services to install monitoring, redirection and censorship mechanisms.  It is desirable for the identity of these multiplexed servers and fronting services to be strongly authenticated and verifiable by both the client and the protected service.


-- Mark





This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk

v2.23.0 | Report a Bug | By Email