IETF Logo Mail Archive

Re: [TLS] Working Group Last Call for ECH

Eric Rescorla <ekr@rtfm.com> Wed, 13 March 2024 15:26 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DED8EC151068 for <tls@ietfa.amsl.com>; Wed, 13 Mar 2024 08:26:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.904
X-Spam-Level:
X-Spam-Status: No, score=-1.904 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lDTnEZEvB-Zn for <tls@ietfa.amsl.com>; Wed, 13 Mar 2024 08:26:18 -0700 (PDT)
Received: from mail-yb1-xb32.google.com (mail-yb1-xb32.google.com [IPv6:2607:f8b0:4864:20::b32]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 03709C14F6AE for <tls@ietf.org>; Wed, 13 Mar 2024 08:26:18 -0700 (PDT)
Received: by mail-yb1-xb32.google.com with SMTP id 3f1490d57ef6-d9b9adaf291so4940782276.1 for <tls@ietf.org>; Wed, 13 Mar 2024 08:26:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20230601.gappssmtp.com; s=20230601; t=1710343576; x=1710948376; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=9igEJOgrvf1DtvKPtwCQT+Q42Hv3pxSYWKFaHXQ9Oco=; b=gXzCKwYtolqeotclVsiPFY+Q9PkgrXhTir1VJKMFBIyizmYJqz96OQY8G2y9FzOqN6 vGOFhD7AnQSGlWcorpnrGWYpKB0s3CZwKUh8ukOPUjJPb/5VC2CvoUTHNfs0bteVq692 AtlcXRLJld9N5XlESLcDfYhAx8srqaqxA8SdZVmhoHPKuO9INIW0gBEFUi6/h6iyIDVG clLwbdkuh2LyTxC3LOgYDra3EglOvJ0Nj9NDWQ/rAS1FRPNZ37kZndvNgL3vmegmPU06 kkHZVkKJpS80k+9zTcnCjceFlYcrTdflmQyGaqYGWw8qP839ZKCcPgYA6x8Pqs1z2131 3qVg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710343576; x=1710948376; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=9igEJOgrvf1DtvKPtwCQT+Q42Hv3pxSYWKFaHXQ9Oco=; b=nxMPoIM+pd5Sa8aOsdBtmm79FZcUyqBKmTImXAo2UlkkOWStgCkgA+J6VmxyFPOdAF ybDD6/2LAM6hwSX2YnFTx4wrIv+UeV0RyIZvGoCq+VTzQdE1mBWWaKFDzxsYw+H5r9gS O4vwiPhN10tXW5qs3bOTo2gxYtkpVABjeik33R1Mvl0eu7kD5yyz6YZCbb6uCkYYjHfV g80s2VR6bXPWWOcYgOhKkPVfwaju731QiNg5YoobB3z9JR6dz75kSiowymcJi6mre5Uu a5ezQsAvpBiRafYhcavXkWGPpUTKPcciNYoBoXbihFdyqoZXVs4PO1xuS7E0/aqM1JCh DDtA==
X-Forwarded-Encrypted: i=1; AJvYcCUmAi4PkJlYL4vLWP6vQQs3mrYFPlxZchNVuRdYdjyxxGWVaqEogtpS6J7UHUhuWcLpE2rf1eFZoJA9joo=
X-Gm-Message-State: AOJu0YxiRRCPdfTfdxBXDm5RlsGjcldhO8gkphBJkligHFdE6zalwcDX F+6Yxz7Pitzq8GxQPWLG1yckxZAXLx3t3rOGErtehna6GQyNdIqYvRGJRF4+rGJTofy/uScMuWZ 3pCJy9hMfXGHhpbo1zSsLhsP1lV3kwaxvNkUmtQ==
X-Google-Smtp-Source: AGHT+IGgPSIi9GCHnCroQt1Az+TQWKua+JlDpSoQMy1xb90pi+idZH9IjY+H15l7Y+BWcv/t/b4BdegCJsFG32OK9aw=
X-Received: by 2002:a25:7450:0:b0:dcc:933f:ea83 with SMTP id p77-20020a257450000000b00dcc933fea83mr2552625ybc.30.1710343576290; Wed, 13 Mar 2024 08:26:16 -0700 (PDT)
MIME-Version: 1.0
References: <CAOgPGoD4iiJ7kivRo4xbe0peiMG3YdzUvmVHC2KvqnMOpm+N7Q@mail.gmail.com> <MEYP282MB35643E2F4A977C0FC051D006A32A2@MEYP282MB3564.AUSP282.PROD.OUTLOOK.COM> <CACsn0ckt5k_jJDp_RnWci94Li3AtcBiMfPehuLtdkAN-XoWtdQ@mail.gmail.com> <MEYP282MB3564E419539472CE1B5C5B1EA32A2@MEYP282MB3564.AUSP282.PROD.OUTLOOK.COM>
In-Reply-To: <MEYP282MB3564E419539472CE1B5C5B1EA32A2@MEYP282MB3564.AUSP282.PROD.OUTLOOK.COM>
From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 13 Mar 2024 08:25:39 -0700
Message-ID: <CABcZeBPK+jdirtxVPJWipXs0odhsqwsG088NC=OPpd4R=q16Zg@mail.gmail.com>
To: Raghu Saxena <poiasdpoiasd@live.com>
Cc: Watson Ladd <watsonbladd@gmail.com>, tls@ietf.org
Content-Type: multipart/alternative; boundary="0000000000004f2b1f06138c65b9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/p82WMnfiqTTKSKfAgvrtPUCTJdQ>
Subject: Re: [TLS] Working Group Last Call for ECH
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Mar 2024 15:26:22 -0000

On Wed, Mar 13, 2024 at 2:15 AM Raghu Saxena <poiasdpoiasd@live.com> wrote:

> On 3/13/24 14:51, Watson Ladd wrote:
>
> > I'm not sure what problem you want us to solve here. In the case of
> > server offering a single domain, an attacker can determine that
> > connections to that domain go to the server and cheaply block based on
> > IP. As a result the threat model is one of distinguishing between
> > connections to two different inner names.
>
> An IP can be cheaply recycled as well, for instance restarting a VPS on
> a cloud provider. Furthermore, IP based blocking may even be discouraged
> at a higher level, for the exact reason that IPs can change pretty
> easily. As an operator, I might be able to migrate my hosting to a new
> server provider (and hence IP) trivially, but informing my users of a
> domain change is much harder.
>

Yes, but the attacker can easily learn these IPs merely by querying
the DNS. Moreover, they can learn the associated domains by sending
a CH with no SNI at all and seeing what's in the certificate.


> DNS does not propagate atomically with webserver configuration
> > changes. It's thus necessary to deal with mismatches.
> While this is true, if there is a configuration mismatch (and hence ECH
> cannot work), why is the decision made for the server to transparently
> "downgrade" it to non-ECH, instead of sending some kind of alert that
> signifies the client to retry without ECH?
>

Three reasons:

1. Such an alert would be insecure because an attacker could forge it,
thus causing the client to send ECH in the clear.

2. It allows the server to be completely ECH unaware rather than needing
to special case an ECH alert.

3. It allows the server to securely provide a new ECHConfig.

-Ekr



> Regards,
>
> Raghu Saxena
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

v2.31.3 | Report a Bug | By Email | System Status