Re: [TLS] Encrypting record headers: practical for TLS 1.3 after all?

Jacob Appelbaum <> Thu, 03 December 2015 15:24 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 8DEC91A8A09 for <>; Thu, 3 Dec 2015 07:24:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id fOkovMTjSMZB for <>; Thu, 3 Dec 2015 07:24:57 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4001:c06::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 5158B1A8A43 for <>; Thu, 3 Dec 2015 07:24:57 -0800 (PST)
Received: by ioc74 with SMTP id 74so84081800ioc.2 for <>; Thu, 03 Dec 2015 07:24:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=0XJtKl4qbmXgYAxrnv4w7G9H0hhoRz/1zI7VggHsxQo=; b=mW+WA4KZDTHhv6yykf4uRib2BPxpLjdPEZ+jY2BrIS4oJFkXcblpAQMmrmHcjMUakF 4dX2o0L3NGsk+UWP3pC1522HDu00/ZeeIa//8nhFV9uBIymTYz7PKDxRi49VTw3uNh8b 46N+4akbgOxDi+O6OCtDitXBVoJ0HMwI1Ru8aXeVYfMk9MWZiLqsc7dYfF+W6+cEobm6 G5FlAj44c85/qAy5wH64J/JJlMy+dbv2HjC7HZQLoXJOdF1wU9+RzmlQasIGbJ+wdqFJ gWjn65RpdBs/xOMmIi7yNLoLchAO8CPPnP3bFZ4LkZ4ypB9M63aFLOTkATRefArSveu9 6lhg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=0XJtKl4qbmXgYAxrnv4w7G9H0hhoRz/1zI7VggHsxQo=; b=fyQaBmJwgRRBLcMC7lX4bSalWeVd3wQBO6/2HfeHrxXNX4Zua4nJd+2OqC08f+riu4 g8AIJkSkpdpXCzfSuEVwg9P+2+u5ijOwdz/h+jcTS1TvhJk/i5RhkY1o9ewiSDjqtjxz ZsxKV39B21qDuhqoO2yW0XNzBS/tkteMCT85SAoRTZigKuqjtp+S7v4mQjJUraeF1bk1 0PgtOUaJkvgvax6s92y41nB/fXCEA0DqxYe7caMcB4VSB38t/LsVpf3emwB+c01xrimJ 61qv6PriovmIMvADMrd0oVDxBVuTFIPRmQ95sLiV0PQ3k/N8rsy2qRGMtu2SA8u3DoPX 5rbw==
X-Gm-Message-State: ALoCoQnOOWwq1PJUpfkszN7kDrRKNYwQ5JEN2Yt8eA5DkV2XeofNYvmcSe1vTVrtiv1TPvc/abfu
MIME-Version: 1.0
X-Received: by with SMTP id l19mr8307676iod.138.1449156296547; Thu, 03 Dec 2015 07:24:56 -0800 (PST)
Received: by with HTTP; Thu, 3 Dec 2015 07:24:56 -0800 (PST)
X-Originating-IP: []
In-Reply-To: <>
References: <> <> <> <> <> <> <> <>
Date: Thu, 03 Dec 2015 15:24:56 +0000
Message-ID: <>
From: Jacob Appelbaum <>
To: "Salz, Rich" <>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <>
Cc: "" <>
Subject: Re: [TLS] Encrypting record headers: practical for TLS 1.3 after all?
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 03 Dec 2015 15:24:58 -0000

On 12/3/15, Salz, Rich <> wrote:
>> I actually went in thinking that I'd be crushed and concede; imagine my
>> surprise!
> The fact that you viewed it as "crushed and concede" implies to me that your
> mind was already made up, and that no description of trade-offs was going to
> sway you.  Is that belief unfair to you?

No, I said explicitly the opposite: I expected that you would change
my mind because you took the time to think about it, write slides and
present it. I'm late to the party, so I had an open mind and was
shocked that this was what had convinced anyone at all.

I'm sympathetic to the government pressure angle but I do not believe
that because one is afraid, one does better by preemptively

If Akamai wants to leave their users insecure, I look forward to
another CDN offering privacy options. Such choice is missing if that
isn't an option and it isn't on as a strong default.

In any case, I await the specific cryptographic details and some of
the people in my cryptographic research group (non-Tor) are
interested. When it is published, I'll see if it actually helps to
solve the problem at hand. If we can't design a cryptographic scheme
to protect SNI, I'd understand fully why we won't have such a
protection deployed. If we design it and then we're unhappy about DNS,
well, great, one problem down - next up, dnsop works to solve the DNS
query privacy problem. There is already work being done there - so I
think we're on the way.

All the best,