IETF Logo Mail Archive

Re: [TLS] Final nail in the coffin for cleartext SNI/ALPN in TLS 1.3

Ralf Skyper Kaiser <skyper@thc.org> Thu, 07 November 2013 21:39 UTC

Return-Path: <skyper@thc.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E75A321E8163 for <tls@ietfa.amsl.com>; Thu, 7 Nov 2013 13:39:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.425
X-Spam-Level:
X-Spam-Status: No, score=-0.425 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RDNS_NONE=0.1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gCgOR8p-j7AN for <tls@ietfa.amsl.com>; Thu, 7 Nov 2013 13:39:28 -0800 (PST)
Received: from mail-ie0-x236.google.com (mail-ie0-x236.google.com [IPv6:2607:f8b0:4001:c03::236]) by ietfa.amsl.com (Postfix) with ESMTP id 3AF5A21E809F for <tls@ietf.org>; Thu, 7 Nov 2013 13:39:25 -0800 (PST)
Received: by mail-ie0-f182.google.com with SMTP id as1so1893254iec.41 for <tls@ietf.org>; Thu, 07 Nov 2013 13:39:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=thc.org; s=google; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=ynhEcvHYifT2r6KDAXYrTBUEAEZnD/5RHURbXuruvpg=; b=Jdj34hyCjR/FuToxuVbRl483yBkIQpF2jwLH8Cpfd4sZLQK/svhWfEEJsECVADcsT6 7EAjmvnNpPB3S0dHf2SnjIbe/ftL7YEQQL8ha/2VRI1tyE4awQLLxc/MjbLxrtNVq6Mu aBkefCGqungbROzWIaQZG+1W+ifWoC8ypn9/0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=ynhEcvHYifT2r6KDAXYrTBUEAEZnD/5RHURbXuruvpg=; b=ejHXjLmhEQA78Xxxm8Sw9JjftGzJOk0IvHZ5khLAK+Tkr5DY6KUjAEzC+GlJsy6mpI VINHII87mfK78i6n87qZG6dIFzRgYiG+dYmAJm1A5ZWhpYHlpKCyMrgkOx+sEiFJY6ZM QjJRC1yI5WPJ1q0EgQ5+xwS5tQHyrDdBQ7S9KlRU79fk8CDXj8u+fgU6klPWwajYoYZp sH8LE7lQbYSpnlG+efLQXF88QhZKjhbiG+T1kxlmfq5nXIJ/j8qtMAyxwHpaK8fs4HrC qNY1X4YKDErt7ZxrVhTcMmevpKQI69hcyZg1M5IUT3SSCAxA9Ef2rVizYDSD4oPrswZ0 mXJw==
X-Gm-Message-State: ALoCoQmK334VlvJGKzqKQJufzfQ5r4zkTEp4fbk8DXp0eCwRh47pI+FObfXDgtJsEawzMOACwHDm
MIME-Version: 1.0
X-Received: by 10.43.80.67 with SMTP id zt3mr6698926icb.23.1383860364372; Thu, 07 Nov 2013 13:39:24 -0800 (PST)
Received: by 10.64.231.100 with HTTP; Thu, 7 Nov 2013 13:39:24 -0800 (PST)
X-Originating-IP: [70.102.70.79]
In-Reply-To: <20131107200815.F24AB1AA69@ld9781.wdf.sap.corp>
References: <CA+BZK2q_f_JrdkdJRC1MirPH2yzRL2Y_28fi4e2MGdc5Uxnksg@mail.gmail.com> <20131107200815.F24AB1AA69@ld9781.wdf.sap.corp>
Date: Thu, 07 Nov 2013 21:39:24 +0000
Message-ID: <CA+BZK2o411meJDkLwnwOudrkr-G_eWeFx0tirLhUCoSnKsddEg@mail.gmail.com>
From: Ralf Skyper Kaiser <skyper@thc.org>
To: mrex@sap.com
Content-Type: multipart/alternative; boundary="001a1133326a70984404ea9d1931"
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] Final nail in the coffin for cleartext SNI/ALPN in TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Nov 2013 21:39:33 -0000

Hi,

For TLS 1.3 there can be a solution that the SNI is never send in clear.

The downgrade attack to TLS 1.2 is possible and would trigger the SNI to be
send in clear again.
(It requires an active attack).

We need the backward compatibility (from TLS 1.3 to TLS 1.2) for the
foreseeable future. That does not
mean that we should continue with the same flaws in 1.3 that we have in
previous TLS versions.

regards,

ralf



On Thu, Nov 7, 2013 at 8:08 PM, Martin Rex <mrex@sap.com> wrote:

> Ralf Skyper Kaiser wrote:
> >
> > On Thu, Nov 7, 2013 at 7:46 PM, Yoav Nir <ynir@checkpoint.com> wrote:
> > >
> > >  IMO, if both sites are either collocated on the same machine, or
> hosted
> > > behind the same SSL accelerator, they already share enough that
> multi-SAN
> > > is not a bad thing.
> > >
> > >  With SNI is it currently stands, the site you are looking for is sent
> in
> > > the clear. If we keep the choose-certificate functionality in 1.3, we
> still
> > > leave it exposed in either the SNI or in the certificate that the
> server
> > > sends. A generic certificate is the only one that hides what the
> client is
> > > browsing.
> > > TLS mailing list
> > >
> >
> > No, SNI can be send encrypted in TLS 1.3 with 'Reduced RT with Privacy'
> as
> > presented by Eric yesterday. Key Exchange is done before SNI is send and
> > auth is done as last. (What's now cleartext would then require
> > detectable-active attack).
>
> I'm sorry, but I firmly believe this will be pure and useless obscurity
> coming at a high cost.
>
> The amount of "activity" for the attack is minuscule (just tear down
> the connection when you see the TLSv1.3 client hello -- the client
> *WILL* reconnect with SNI in the clear.  For the NSA, this is trivial,
> they're actively doing stuff like this on a regular basis (Foxacid).
>
> There are already lots of sites and lots of middle-boxes that cause
> errors like this in a non-malicious fashion, that "detecting" such
> an error is only going to annoy users, but not provide any benefit.
>
> For those negligible situation where there might be any theoretical
> benefit at all, it would be possible to define a seperate TLS extension
> with the properties you're looking for, rather than messing up SNI.
>
> -Martin
>
>

v2.23.0 | Report a Bug | By Email