IETF Logo Mail Archive

Re: [TLS] Encrypted SNI (was: Privacy considerations - identity hiding from eavesdropping in (D)TLS)

"Salz, Rich" <rsalz@akamai.com> Fri, 28 August 2015 16:33 UTC

Return-Path: <rsalz@akamai.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 671A01A8903 for <tls@ietfa.amsl.com>; Fri, 28 Aug 2015 09:33:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.812
X-Spam-Level:
X-Spam-Status: No, score=-0.812 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dnqysQWZgpLg for <tls@ietfa.amsl.com>; Fri, 28 Aug 2015 09:33:32 -0700 (PDT)
Received: from prod-mail-xrelay08.akamai.com (prod-mail-xrelay08.akamai.com [96.6.114.112]) by ietfa.amsl.com (Postfix) with ESMTP id C12251A887E for <tls@ietf.org>; Fri, 28 Aug 2015 09:33:32 -0700 (PDT)
Received: from prod-mail-xrelay08.akamai.com (localhost.localdomain [127.0.0.1]) by postfix.imss70 (Postfix) with ESMTP id 2DF2E740098 for <tls@ietf.org>; Fri, 28 Aug 2015 16:33:32 +0000 (GMT)
Received: from prod-mail-relay09.akamai.com (prod-mail-relay09.akamai.com [172.27.22.68]) by prod-mail-xrelay08.akamai.com (Postfix) with ESMTP id 178B4740050 for <tls@ietf.org>; Fri, 28 Aug 2015 16:33:32 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=akamai.com; s=a1; t=1440779612; bh=yqGgmvKT47S5YWZNFVQMEQu9cXy+4V86Lp3Z2IGfGEo=; l=915; h=From:To:Date:References:In-Reply-To:From; b=amGcjrVCpw9pBLvAgDIXFweDg6+p9jiVPxRbSbKgA5d2F+Pzyw6rGnJaEpev14pn6 wAvA6ESFes7c0Q4qkDmVzD7zD0VN/RAw+vKtXLIdIQyOVUW6jDjJub3nB1LA/9Bbe1 xUT8Ld4uF+iIX6jGXPOXAz9B2f37gdfrNbfCOWWM=
Received: from email.msg.corp.akamai.com (ustx2ex-cas3.msg.corp.akamai.com [172.27.25.32]) by prod-mail-relay09.akamai.com (Postfix) with ESMTP id 13EEE1E080 for <tls@ietf.org>; Fri, 28 Aug 2015 16:33:32 +0000 (GMT)
Received: from USTX2EX-DAG1MB2.msg.corp.akamai.com (172.27.27.102) by ustx2ex-dag1mb1.msg.corp.akamai.com (172.27.27.101) with Microsoft SMTP Server (TLS) id 15.0.1076.9; Fri, 28 Aug 2015 11:33:31 -0500
Received: from USTX2EX-DAG1MB2.msg.corp.akamai.com ([172.27.6.132]) by ustx2ex-dag1mb2.msg.corp.akamai.com ([172.27.6.132]) with mapi id 15.00.1076.000; Fri, 28 Aug 2015 11:33:31 -0500
From: "Salz, Rich" <rsalz@akamai.com>
To: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Encrypted SNI (was: Privacy considerations - identity hiding from eavesdropping in (D)TLS)
Thread-Index: AQHQ4ayRRnZKd+mYm0W69zVWwS2qcZ4h7AsA//+sgMA=
Date: Fri, 28 Aug 2015 16:33:31 +0000
Message-ID: <ff810758165f48198e714af899c04e8f@ustx2ex-dag1mb2.msg.corp.akamai.com>
References: <CAL6x8mchyh2Qpqcd5Rv-rXgZ+1_CAbV7vkib+-yU4DEDFx82Yg@mail.gmail.com> <CAL6x8mfDjYAhOwvBY-tFO-407E9U+SaknJnuh_dCEEUbWJZZWw@mail.gmail.com> <20150828144932.GH9021@mournblade.imrryr.org> <201508281213.03823.davemgarrett@gmail.com> <20150828162251.GM9021@mournblade.imrryr.org>
In-Reply-To: <20150828162251.GM9021@mournblade.imrryr.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.19.41.76]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/rj6Wj4Bfh_KWb3kYEArrjNDvJ4U>
Subject: Re: [TLS] Encrypted SNI (was: Privacy considerations - identity hiding from eavesdropping in (D)TLS)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Aug 2015 16:33:34 -0000

> > The idea I had the other day is that we can technically do SNI
> > encryption with the current TLS 1.3 draft, as-is.

Yeah, some of us talked about this in Dallas, etc., when the "semi-static EDH key" really started to take hold.  I showed slides at the interim before IETF 90 in Toronto, that seemed to convince everyone that it doesn't really get you the privacy you think you get.  (I couldn't find them in the meeting materials; if anyone wants the PDF let me know.) There's still the DNS leakage, to which dkg reasonably points out that we should not succumb to the deadly embrace of each component waiting for the other.

> And how often will the same client visit multiple servers at the same
> transport address?

Anyone who visits sites hosted by a CDN.  And, I suspect, many large portals.
 
> I don't really see this as viable or worth the effort.

Agree.

	/r$

v2.23.0 | Report a Bug | By Email