IETF Logo Mail Archive

Re: [TLS] Encrypting record headers: practical for TLS 1.3 after all?

Watson Ladd <watsonbladd@gmail.com> Sat, 28 November 2015 18:58 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 37E811B33FE for <tls@ietfa.amsl.com>; Sat, 28 Nov 2015 10:58:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KDTHyzMDDi99 for <tls@ietfa.amsl.com>; Sat, 28 Nov 2015 10:58:57 -0800 (PST)
Received: from mail-wm0-x22b.google.com (mail-wm0-x22b.google.com [IPv6:2a00:1450:400c:c09::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2EFE51B33FD for <tls@ietf.org>; Sat, 28 Nov 2015 10:58:57 -0800 (PST)
Received: by wmuu63 with SMTP id u63so86356078wmu.0 for <tls@ietf.org>; Sat, 28 Nov 2015 10:58:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=hnIwaABDB1+FiuQVsycRM4iYlY4k1jCcKg/qt1hf/6M=; b=zcSGzfxo8JGkIKR8fec6EPNK3rNnV+sJ2nBUGWpSssxK+8IzoT29m0a5LhV3RuyR5c BYIOl7r7PKlOmAOBWtXjvv7yRcvmsEXta4Mp98gp0cqyIbZWxu42U0n+4WUh6UGRmOJe nrkg84CXJaXT3PCAQs0rp/NkTe/tn7oI3nVfhyVL0mmNJuMnbfMfyWt66cGOb4iqpiTE F1G//gbi9xOhS9chTrTJnT3sTIIyuaIYYi5AbbeFECCbL3CP+5cYPA+t+vwulwGwHc2j mB24XnL3zJa9r3GvycXiJ/EADhwCNPitbggq0NDc3x2JbNoErO6amJOVoESNmOszAHHg spXA==
MIME-Version: 1.0
X-Received: by 10.194.200.227 with SMTP id jv3mr19486689wjc.20.1448737135761; Sat, 28 Nov 2015 10:58:55 -0800 (PST)
Received: by 10.28.102.84 with HTTP; Sat, 28 Nov 2015 10:58:55 -0800 (PST)
In-Reply-To: <CAHOTMVK2KHTW-BiEfTHANNCvWnek_Vk_=uTDdgh=n6WqrN3zvA@mail.gmail.com>
References: <56586A2F.1070703@gmail.com> <565882FE.80205@streamsec.se> <A62C0689-E779-483D-86FF-6DF095DC7A0F@proceranetworks.com> <56599884.2090609@streamsec.se> <5659D957.3030909@zinks.de> <5659DCD8.2030400@streamsec.se> <5659DED3.3030908@zinks.de> <CAHOTMVK2KHTW-BiEfTHANNCvWnek_Vk_=uTDdgh=n6WqrN3zvA@mail.gmail.com>
Date: Sat, 28 Nov 2015 13:58:55 -0500
Message-ID: <CACsn0cmmbP87RVn3etO-FR6URocwu-T3qfnayZ_9cXmUuBt6sg@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Tony Arcieri <bascule@gmail.com>
Content-Type: multipart/alternative; boundary="047d7b8750da59a12605259e66c0"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/tjiMnMRZWDLvEsPqaFBqIq99v_E>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] Encrypting record headers: practical for TLS 1.3 after all?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 28 Nov 2015 18:58:59 -0000

On Sat, Nov 28, 2015 at 1:08 PM, Tony Arcieri <bascule@gmail.com> wrote:

> On Sat, Nov 28, 2015 at 10:05 AM, Roland Zink <roland@zinks.de> wrote:
>
>> Am 28.11.2015 um 17:56 schrieb Henrick Hellström:
>>
>>> AFAIK, HTTP 1.1 browsers typically don't send a new request over an open
>>> connection, before it has received the response to the previous request. If
>>> that is the case, it is trivial to get the message lengths from the
>>> traffic, with or without encrypted TLS record headers. IOW you gain nothing
>>> by encrypting the length fields.
>>>
>>> I think this is what browsers do by default. For HTTP2 this should be
>> different.
>
>
> This is HTTP/1.1 pipelining, which is supported by most browsers but
> typically disabled by default as most servers don't support pipelining
> correctly.
>

I think the above analysis is wrong. Consider a service written in Go using
the built-in TLS library. Then the number and sizes of writes is visible to
an attacker, which can reveal information about which branches were taken
and the data sent. That's not because the total size of the response
necessarily changes, but the sequence of writes taken to get there.


> --
> Tony Arcieri
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
>


-- 
"Man is born free, but everywhere he is in chains".
--Rousseau.

v2.14.0 | Report a Bug | By Email