Re: [TLS] New Draft: Using DNS to set the SNI explicitly
Ben Schwartz <bemasc@google.com> Thu, 09 March 2017 19:26 UTC
Return-Path: <bemasc@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EADB11297F0 for <tls@ietfa.amsl.com>; Thu, 9 Mar 2017 11:26:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URI_TRY_3LD=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KqCx-MPIde8h for <tls@ietfa.amsl.com>; Thu, 9 Mar 2017 11:26:15 -0800 (PST)
Received: from mail-it0-x22e.google.com (mail-it0-x22e.google.com [IPv6:2607:f8b0:4001:c0b::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CA6E212984B for <tls@ietf.org>; Thu, 9 Mar 2017 11:26:14 -0800 (PST)
Received: by mail-it0-x22e.google.com with SMTP id g138so73207532itb.0 for <tls@ietf.org>; Thu, 09 Mar 2017 11:26:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=G42lMionbCDfUO7pfmgDMTHvSb+MwlOIj5MWJuNgs1s=; b=VDYzYvbJNPtxMbQfFoYMHjYE+DkFiAykGkdhKFDutDe8e4VszwTbjlk/xtK8ILpJoD SbqGY72/SsbRgs/egP7bwitCPQxrfZ7OO9tqcjuBfIn3IVAyqPpu93vUAVNpU4roZTZG 7tqAdcqH04gEWstmKj4lmg0lbXnJcdZZeyAte+y7xkIsfpEbiGQhMgPbfpNJxdnIuSAU sin6exF4YbK7HbFe95/0q8pdtd2aRSctTZXpoK6uKyH12os9C0Q+JbnhcAeUHGX01tW0 qVX0rQ7Cm8bx0D/lGpFoJqSTPkaTQhcal/fonG3OP9UMULfBqoeXxQdsZXyyhmeEIwuF aDPA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=G42lMionbCDfUO7pfmgDMTHvSb+MwlOIj5MWJuNgs1s=; b=Al53q3GMYuRkrFEjjNAl2eC6C1ifn3Zd1buoW/Q+kH4VhFXNFem6LeefTBZLBy1nbs 6OLFTxBD8iZneCKQhKKYkiDW4naWDKTPxA1yU0+w6w/Zbj3bc1nxBJHFe5smblVq06Ju RvUdazE/V1j6I8Qir8nkTre2cBMvlnhUVs7kBM8T9wZCfRc/UV281EMojYZE1An3PM1b 442vXQcQRW2F6hHQ1xhjw4rYtdTU2ZaRun4BnNl2RpkZfAIS7md6VpzGcuEyINL2tJ20 RQPKanuC4XDkseA/KEGv5Y5bVkhS/jl5r7SeMq/wux994/xyl9p/p8xt4yjx703YRFsR zEAQ==
X-Gm-Message-State: AMke39kji1VvXPbSuKDFPXiA7CTVwo+vRACMAob5CIPmGcQ/Xx/2/lSqUyjt7uuIOdcpOWWporMM+dMBhT1E2WVt
X-Received: by 10.36.9.202 with SMTP id 193mr13514511itm.98.1489087574067; Thu, 09 Mar 2017 11:26:14 -0800 (PST)
MIME-Version: 1.0
Received: by 10.107.7.207 with HTTP; Thu, 9 Mar 2017 11:26:13 -0800 (PST)
In-Reply-To: <20170309105207.A93041A63F@ld9781.wdf.sap.corp>
References: <CAHbrMsCpCH2qSG=cZjMMuWbpzCn8dQhvaTDaRc1riwnYiKGjsg@mail.gmail.com> <20170309105207.A93041A63F@ld9781.wdf.sap.corp>
From: Ben Schwartz <bemasc@google.com>
Date: Thu, 09 Mar 2017 20:26:13 +0100
Message-ID: <CAHbrMsA=Wk+6U+yLvtY-TNaYbt-UYy4u9+m2fgBSsvF9Es491Q@mail.gmail.com>
To: mrex@sap.com
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="001a11375fbee85b6f054a5137d2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/nHQaQT2PrHOJrOKr70vRjA8CEf4>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] New Draft: Using DNS to set the SNI explicitly
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Mar 2017 19:26:27 -0000
On Thu, Mar 9, 2017 at 11:52 AM, Martin Rex <mrex@sap.com> wrote: > Ben Schwartz wrote: > > > > Like a lot of people here, I'm very interested in ways to reduce the > > leakage of users' destinations in the ClientHello's cleartext SNI. It > > seems like the past and current proposals to fix the leak are pretty > > difficult, involving a lot of careful cryptography and changes to clients > > and servers. > > It is formally provable that there is no solution to the problem > that you're describing. > Perhaps I'm not trying to solve the problem that you're thinking of? Here's an example: Wordpress.com uses HTTPS, with a wildcard certificate (*.wordpress.com) for all its hosted blogs, which have domains of the form myblogname.wordpress.com. A passive adversary watching traffic to Wordpress.com can currently determine which blog each client IP address is accessing by observing the IP source address and the TLS SNI in the ClientHello message. With this proposal, if Wordpress were to set an SNI DNS record on each subdomain, with empty RDATA, compliant clients would omit SNI when contacting the Wordpress server. Connections would still work fine, but the passive adversary would no longer know which client is accessing which blog. Is there something wrong with this example that I am missing? While you can come up with all kinds of fancy and complicated schemes > that are sufficient to provide you the illusion that you're looking for, > the best you can come up with, will *be* an illusion. But some of > those illusions will cause lots of pain for implementors and make > the whole thing fragile and cause interop problems. > > The situation is pretty similar for the hiding of the ContentType > in TLSv1.3 records. It is formally provable that this can not provide > value, but it make implementations harder and reliably break some > existing stuff. > > -Martin >
- [TLS] New Draft: Using DNS to set the SNI explici… Ben Schwartz
- Re: [TLS] New Draft: Using DNS to set the SNI exp… Ilari Liusvaara
- Re: [TLS] New Draft: Using DNS to set the SNI exp… Salz, Rich
- Re: [TLS] New Draft: Using DNS to set the SNI exp… Ben Schwartz
- Re: [TLS] New Draft: Using DNS to set the SNI exp… Ben Schwartz
- Re: [TLS] New Draft: Using DNS to set the SNI exp… Christian Huitema
- Re: [TLS] New Draft: Using DNS to set the SNI exp… Salz, Rich
- Re: [TLS] New Draft: Using DNS to set the SNI exp… Ben Schwartz
- Re: [TLS] New Draft: Using DNS to set the SNI exp… Yoav Nir
- Re: [TLS] New Draft: Using DNS to set the SNI exp… Richard Barnes
- Re: [TLS] New Draft: Using DNS to set the SNI exp… Ben Schwartz
- Re: [TLS] New Draft: Using DNS to set the SNI exp… Ben Schwartz
- Re: [TLS] New Draft: Using DNS to set the SNI exp… Ben Schwartz
- Re: [TLS] New Draft: Using DNS to set the SNI exp… Martin Rex
- Re: [TLS] New Draft: Using DNS to set the SNI exp… Ben Schwartz
- Re: [TLS] New Draft: Using DNS to set the SNI exp… Martin Rex
- Re: [TLS] New Draft: Using DNS to set the SNI exp… Ilari Liusvaara
- Re: [TLS] New Draft: Using DNS to set the SNI exp… Martin Rex
- Re: [TLS] New Draft: Using DNS to set the SNI exp… Ryan Sleevi
- Re: [TLS] New Draft: Using DNS to set the SNI exp… Ilari Liusvaara
- Re: [TLS] New Draft: Using DNS to set the SNI exp… Viktor Dukhovni
- Re: [TLS] New Draft: Using DNS to set the SNI exp… Dave Garrett