IETF Logo Mail Archive

Re: [TLS] Final nail in the coffin for cleartext SNI/ALPN in TLS 1.3

Yoav Nir <ynir@checkpoint.com> Thu, 07 November 2013 17:30 UTC

Return-Path: <ynir@checkpoint.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C6DA11E81E6 for <tls@ietfa.amsl.com>; Thu, 7 Nov 2013 09:30:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.522
X-Spam-Level:
X-Spam-Status: No, score=-10.522 tagged_above=-999 required=5 tests=[AWL=0.076, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tueSc0uKCuo0 for <tls@ietfa.amsl.com>; Thu, 7 Nov 2013 09:30:27 -0800 (PST)
Received: from smtp.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id 1406311E81D1 for <tls@ietf.org>; Thu, 7 Nov 2013 09:30:15 -0800 (PST)
Received: from DAG-EX10.ad.checkpoint.com ([194.29.34.150]) by smtp.checkpoint.com (8.13.8/8.13.8) with ESMTP id rA7HUBGN007596; Thu, 7 Nov 2013 19:30:11 +0200
X-CheckPoint: {527BCCA0-1-1B221DC2-1FFFF}
Received: from IL-EX10.ad.checkpoint.com ([169.254.2.106]) by DAG-EX10.ad.checkpoint.com ([169.254.3.213]) with mapi id 14.03.0123.003; Thu, 7 Nov 2013 19:30:11 +0200
From: Yoav Nir <ynir@checkpoint.com>
To: Ralf Skyper Kaiser <skyper@thc.org>
Thread-Topic: [TLS] Final nail in the coffin for cleartext SNI/ALPN in TLS 1.3
Thread-Index: AQHO29cQ9VyMic6aPkyI1tVd5LOXZJoZ1sKAgAAGd4CAAAeWAA==
Date: Thu, 07 Nov 2013 17:30:11 +0000
Message-ID: <EEF0FE50-3032-4C7B-BA07-1845CDEDA155@checkpoint.com>
References: <CA+BZK2qUE3oS6Sbp1HbKZ7Wgen9gEjjdepON1egLhGqCPpoVBw@mail.gmail.com> <CACsn0c=VWmsfxvE_17+FyBASUXPCNrS1FQQ02fzhF5rA6zx4wQ@mail.gmail.com> <CA+BZK2oAj6FmXTbDoY0oRHpHFVzeN-NmDJde2mJTwOzBW0CdiQ@mail.gmail.com>
In-Reply-To: <CA+BZK2oAj6FmXTbDoY0oRHpHFVzeN-NmDJde2mJTwOzBW0CdiQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [172.31.20.53]
x-kse-antivirus-interceptor-info: scan successful
x-kse-antivirus-info: Clean
Content-Type: multipart/alternative; boundary="_000_EEF0FE5030324C7BBA071845CDEDA155checkpointcom_"
MIME-Version: 1.0
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Final nail in the coffin for cleartext SNI/ALPN in TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Nov 2013 17:30:32 -0000

Hi, Ralf.

I'm not disagreeing with you regarding 1.3. At least in the long version of the handshake (which you should be able to enable in any browser, if you want a little more privacy in exchange for an extra roundtrip).

But ordinarily, the sites that can get you killed are not collocated with benign sites. And even when sites are collocated, the servers demux not based on the SNI parameter in the TLS handshake, but based on the Server header in HTTP. The only use of the SNI parameter is for selecting the right certificate. So if you try to go to https://www.gmail.com , you get a certificate for www.gmail.com<http://www.gmail.com> , before being redirected to the same server, but this time with the URI https://mail.google.com .

It would be much nicer if we could update HTTPS (RFC 2818) to support this kind of multi-homing so as to make SNI superfluous. For example, if the server certificate could list the different domain names that it was valid for. Yes, I know there's an economic side to this as well. I'm sure the CAs could charge by alternate name if needed.

Yoav

On Nov 7, 2013, at 9:03 AM, Ralf Skyper Kaiser <skyper@thc.org<mailto:skyper@thc.org>> wrote:


On Thu, Nov 7, 2013 at 4:39 PM, Watson Ladd <watsonbladd@gmail.com<mailto:watsonbladd@gmail.com>> wrote:
On Thu, Nov 7, 2013 at 8:32 AM, Ralf Skyper Kaiser <skyper@thc.org<mailto:skyper@thc.org>> wrote:
>
>
> 1. Meta-data is important. Meta-data tells a lot about a person.
> Meta-data can get a user killed or worse. Transmitting the host-name
> (meta-data) in clear in TLS is not good (as in ‘not good because it
> can get you killed’ and there is no alternative for the user – unless
> the user is a tech-wizard.).
They can use Tor. They need to anyway: reverse DNS lookups are not
rocket science.

[...]

>
> There are other ways how an adversary can extract the same meta-data.
> This should not deter us from fixing it in TLS. Maybe we will find a
> solution for the other problems as well (like confidential DNS).
No, the other problem is you connect to the server and ask it to show
you a page,
and learn what the server is. The sole exception is multihosting,
which is getting
less common for various reasons.

As a hacker I would love TLS to leak the host information. It would enable me
to find out which user connects to admin.blubb.com<http://admin.blubb.com/> and who connects just to
www.blubb.com<http://www.blubb.com/> (both domains hosted on same server).

Your comments are wrong in this scenario: Connecting to the server does not help
the hacker to gain above information. Neither does reverse lookup.

TLS leaks it and there is no other way the hacker would get this information if
TLS would not leak it. Transport Layer Kind-off-Security protocol is the problem.



regards,

ralf

_______________________________________________
TLS mailing list
TLS@ietf.org<mailto:TLS@ietf.org>
https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email