Re: [TLS] DNS-based Encrypted SNI

Eric Rescorla <ekr@rtfm.com> Wed, 04 July 2018 18:20 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0532A130E30 for <tls@ietfa.amsl.com>; Wed, 4 Jul 2018 11:20:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.908
X-Spam-Level:
X-Spam-Status: No, score=-1.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vwSkWyOYQbIY for <tls@ietfa.amsl.com>; Wed, 4 Jul 2018 11:20:47 -0700 (PDT)
Received: from mail-yw0-x236.google.com (mail-yw0-x236.google.com [IPv6:2607:f8b0:4002:c05::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E16071294D0 for <tls@ietf.org>; Wed, 4 Jul 2018 11:20:46 -0700 (PDT)
Received: by mail-yw0-x236.google.com with SMTP id e23-v6so1671621ywe.13 for <tls@ietf.org>; Wed, 04 Jul 2018 11:20:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=csjrJdckoI9UfvBHvdE9FU2k135+RodwwEgyeZas49Y=; b=EgkRlGUyQ48KNzPTR5GENr5Sg+47PDvcpluOB7qNC0eNeIpttGaqKKofAPCqU4LevM bMvZ5Pd/9URPQAA4HgOfuT2Rd/V/uuN4moNX0SkI7Jk+skfsQFUIFFaRLjxLPJe6suei +NC76olmI8zdTyn4aUh2gOZJ3t3h9pztL4flXG8vxNuAdExLu03lh9S4NEPibzKx1lFS dM8CjJu5Ym0I3MhkPwRgLzWaYMniIVDl0eN/upw465gU67xgTOiZFLNOv1sC7E8BRzh+ r5LuOe48AHLsF/qbcCEgFJ6U04mXWNphHUXGZYBMke8EyrQdivWhDOtaIWquz5tV+vhP XhvA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=csjrJdckoI9UfvBHvdE9FU2k135+RodwwEgyeZas49Y=; b=PiDV8TkhsPOZXhGSrw7ob8zdcixBC8n8b6V7UMHcpj1XMn7mDwr1fOuVFBdw2XKitH Zxkkhu1QhSYloVK3S2iCfVz3TVv9U0U1JpQUnoNh35VqS0EttwS6CIagIgP75R+KUY2c +NTDpTpC9SjKhJtfPHqB830b5EoqLFiocbw9JNi2BBrToMzo0U0+gMwtCacbK4wMEf0v K15t4DLIXOPnv802PPlMJCS38evtpgqtU46hPZ+xkQw9JWqDj2FoGdC/56HMKDhq4U2I fvttZ98OqaXa/x9qCIn3u7IfoKagVg9Xtf31uT/z5KIeapPXEkYzJd1p5uhdOry+8NNi RWAg==
X-Gm-Message-State: APt69E1iAZtiTL/jw0hqDJooIQAzJGrZ45G9q6H60BnGwe7vZsTNLseS 9Qvv2ApTlksWPiTSL5dMIoi1n+4KoiUohmfkUAYv/0giqqE=
X-Google-Smtp-Source: AAOMgpdVCWKYojOMpYCC1i0WuKp/UxzKlAWMCsrgIsOOG/01w3Z+ewX6l+Q6TmXnu4OPzCHaJQZCATFpAWrx9f/ulsA=
X-Received: by 2002:a81:3e02:: with SMTP id l2-v6mr1509249ywa.381.1530728446141; Wed, 04 Jul 2018 11:20:46 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a81:6b83:0:0:0:0:0 with HTTP; Wed, 4 Jul 2018 11:20:05 -0700 (PDT)
In-Reply-To: <4B10DA3C-9BCB-4546-B3F9-BCC8BA358BD9@gmail.com>
References: <CABcZeBMR=5QQjSS68H2mQoyG1cHVa5+Z_5SH0Md07kTBVSr3Sw@mail.gmail.com> <c066f64f-9d56-2614-9c85-031a659d9ece@cs.tcd.ie> <4B10DA3C-9BCB-4546-B3F9-BCC8BA358BD9@gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 4 Jul 2018 11:20:05 -0700
Message-ID: <CABcZeBPLBn7jc2rWxcSdvw-n7EZdxBn+XL+22g+W+JNs56nHkQ@mail.gmail.com>
To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Cc: Stephen Farrell <stephen.farrell@cs.tcd.ie>, "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000047bbce0570307de7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/oq3xT0bjdtKKVZXuF4g5IR9mEMQ>
Subject: Re: [TLS] DNS-based Encrypted SNI
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Jul 2018 18:20:49 -0000

Hi Kathleen,

On Wed, Jul 4, 2018 at 11:10 AM, Kathleen Moriarty <
kathleen.moriarty.ietf@gmail.com>; wrote:

> I’m also fine with the work going forward, however it was only in March
> that EKR assured people concerned that they don’t need to worry about SNI
> being encrypted repeating similar statements previously made to the same
> effect.  Meantime, he was working on such a solution.


This is not really correct. As of March, I had basically given up on how to
do ESNI in TLS the near future and wasn't really working on it [0] and then
in May, prompted by suggestions by Matthew Prince and Nick Sullivan, I
realized that the proposal in this document could work.

Moreover, I think I've been pretty clear that I wanted to do ESNI and it
was just that we didn't know how. For instance, here's what I said in
PATIENT:

   My evaluation of the current state of SNI encryption is that given the
   current technical state, it will not see particularly wide deployment,
with
   the primary scenario being "at-risk" sites who are subject to censorship
who
   either hide behind or co-tenant with sites which are not subject to
   censorship. That probably isn't going to be incredibly common right now.
Of
   course, this is regrettable from the perspective of people designing
these
   protocols, but I think that's the situation.

As I said the other day, predictions are hard, especially about the future,
and this turns out not to have been totally right (though I also don't
think it's really accurate to characterize it as my saying that people
don't need to worry). I'm sorry if people people are surprised now. That
wasn't my intent, but as I said above, I was surprised too!

-Ekr

[0] Just to be completely clear, there was and is ongoing work on
protecting SNI via HTTP connection coalescence (see Mike Bishop's
presentation in London), but that's a different flavor of approach, and
it's not like it's any secret it's happening.




> Kathleen
>
> >
> > Cheers,
> > S.
> >
> >
> >>
> >> -Ekr
> >>
> >>
> >>
> >> _______________________________________________
> >> TLS mailing list
> >> TLS@ietf.org
> >> https://www.ietf.org/mailman/listinfo/tls
> >>
> > <0x5AB2FAF17B172BEA.asc>
> > _______________________________________________
> > TLS mailing list
> > TLS@ietf.org
> > https://www.ietf.org/mailman/listinfo/tls
>