IETF Logo Mail Archive

Re: [TLS] Tonight's Encrypted SNI Hangout Session

Bret Jordan <jordan.ietf@gmail.com> Tue, 14 November 2017 04:04 UTC

Return-Path: <jordan.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 96BCC128AFE for <tls@ietfa.amsl.com>; Mon, 13 Nov 2017 20:04:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5O-kzy_8tc48 for <tls@ietfa.amsl.com>; Mon, 13 Nov 2017 20:04:49 -0800 (PST)
Received: from mail-pf0-x241.google.com (mail-pf0-x241.google.com [IPv6:2607:f8b0:400e:c00::241]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 65E6712704A for <tls@ietf.org>; Mon, 13 Nov 2017 20:04:49 -0800 (PST)
Received: by mail-pf0-x241.google.com with SMTP id i15so3140384pfa.3 for <tls@ietf.org>; Mon, 13 Nov 2017 20:04:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=ePMKm3169NEcGF+88YxWCHn//nRGGUXlne02ao7BD7w=; b=mULoNKdkZF2aCgDYbC0l3MGAUqhC7eaayEvhgQwSu2kETTcsZZnMubTN0L+EijbQgf ey1U+R/QUIysGC0lgraf3YnZ3xTt+lx9f3Oe1UBiUuw07F7yUZuLpntQl46eAUBNFNFr 2EJBTVnB4TyZWIQvHfo+GV70bH+dVg549dp2zjezutCbMIfUCuT4u0fGTenAwFjbCk3j ehWcQT3F+CA0itRS6lKKeEWRjn/FkEMMZp9DTpAPKCFgrjXMtE8kGVt86Ys431eeSUYj LJP+ifF0yP2IbC6FQ1AYegO/GMWytUgfoMEuiao2CT+WtFNr6gANntPosSQzC/u27KfH K/Zg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=ePMKm3169NEcGF+88YxWCHn//nRGGUXlne02ao7BD7w=; b=m6gUjP+IIkNJ8UUuAlNxuCp2R4qlNIAi74IQlVRmTnoDBZuTuwDpBkyi8y9+tnS/jo 42pQ1SSUAex/KWTq85r6DWY0FSe6UXBi3McXLLx/L6Kt67eB0PAksz00jCuYm5ZMrOea m44Yb6ZBlh+LQoLN/guYRXMIlhiOnrbAwf7aqaDWiQXpDDUWP+CScvk1MONwQyLXHhei hJdT8HuoLr2Bgto8sH6eC/aQdt4QbSZmucsoQfvjKeDXVesuUFR4gNYV8yIngvKEg/xY Uxk3xK1x5Uyau8st5/ZhwEv49EqKStMW+xpeaC5l9g5ckxcTVh+JYlvi0eDgT0j9f3E3 vaNQ==
X-Gm-Message-State: AJaThX6SYW643Ov4LfDiH4taRz/W6E8IJF/NmmX3Xjy3wfsxeUjK12TO gYKj7aDghDATtTJP02ee6J0=
X-Google-Smtp-Source: AGs4zMaIpdGVuczxGuro93yEP+EaWOeGtdYdEZk6yHYSrosj5Kqb2ui6iojGoY41/Mqqb053r0Ming==
X-Received: by 10.98.38.70 with SMTP id m67mr12255697pfm.131.1510632289042; Mon, 13 Nov 2017 20:04:49 -0800 (PST)
Received: from ?IPv6:2001:67c:1232:144:8c20:fee5:e56:ecb6? ([2001:67c:1232:144:8c20:fee5:e56:ecb6]) by smtp.gmail.com with ESMTPSA id 125sm33961770pff.14.2017.11.13.20.04.47 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 13 Nov 2017 20:04:47 -0800 (PST)
Content-Type: multipart/alternative; boundary="Apple-Mail-86A97394-1505-42E7-935F-24BB441E11FC"
Mime-Version: 1.0 (1.0)
From: Bret Jordan <jordan.ietf@gmail.com>
X-Mailer: iPhone Mail (15A432)
In-Reply-To: <4890DB57-90E8-4F95-8DAF-1765CF491588@gmail.com>
Date: Tue, 14 Nov 2017 12:04:44 +0800
Cc: Tom Ritter <tom@ritter.vg>, "tls@ietf.org" <tls@ietf.org>
Content-Transfer-Encoding: 7bit
Message-Id: <F86C21FA-9130-45EB-8296-044E03C23D9D@gmail.com>
References: <CAPCpN4t4m9M6u=E29u=TQnBScjRTfA91K9pdyPG3nvyi+GHC3w@mail.gmail.com> <CA+cU71nf1qpCNkRzUgm3Xh_Y9P4zTFD3sD2wp6xPutdLPZzB9A@mail.gmail.com> <4890DB57-90E8-4F95-8DAF-1765CF491588@gmail.com>
To: Yoav Nir <ynir.ietf@gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/ulesdVFuLedP9c_JrLypiVJLBw8>
Subject: Re: [TLS] Tonight's Encrypted SNI Hangout Session
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Nov 2017 04:04:56 -0000

Great comments and feedback. Thank you.  

Bret 

Sent from my Commodore 128D

PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050

> On Nov 14, 2017, at 10:43 AM, Yoav Nir <ynir.ietf@gmail.com> wrote:
> 
> 
> 
>> On 14 Nov 2017, at 0:00, Tom Ritter <tom@ritter.vg> wrote:
>> 
>> Are you also interested in collecting reports of where SNI is used to
>> censor? Or the list of network vendors that support filtering and
>> manipulating traffic based on the value?
> 
> I don’t think naming and shaming is a goal here.
> 
>> In general, the bad uses of SNI are harder to enumerate because people
>> aren't willing to come to the WG and explain how they use SNI to
>> selectively break or censor the internet for their citizens/users.
> 
> I don’t think that’s true. I used to work for a vendor of a network firewall, and I can explain how this is done.  
> 
> Inspecting the ClientHello to find the SNI for filtering is a weak way to do filtering. It’s also a light-weight way.  So if I want to filter Wikipedia, I match SNIs to "*.wikipedia.org” and I have my filtering. Depending on how many cycles I can spare, this is a cost-effective method. We have evidence that it’s been used for filtering, but sophisticated users can circumvent this - they can configure the browser to use TLS 1.0 and not send SNI at all.
> 
> More modern firewalls make a probing connection to the server, sending a ClientHello that is almost identical to the one sent by the real client and checking the returned certificate.  The names specified in that certificate are used for the filtering. That information is cached so that not every real ClientHello has to wait for a probing connection.  I don’t know if any vendor has made this scale to filter an entire country’s browsing, but this is considered to be more reliable than filtering by SNI.
> 
>> We
>> have a few confirmed cases, anecdotal evidence, and lots of evidence
>> of censors being technically applied by whatever means is available.
>> 
>> But when you pile up all the administrators who will come to the WG
>> and say "This really frustrates me and makes my job harder" you're
>> going to have a much bigger pile than the users (or even technical
>> advocates like myself) we can bring in and say "Plaintext SNI is
>> harming the Internet”.
> 
> IMO the real game-changer will be having an encrypted part to the ClientHello. If all ClientHellos are different, this defeats caching.
> 
>> 
>>> Side question, it feels like this effort could represent a lot of work and
>>> require a lot of dedicated cycles. Does it make sense to continue this
>>> effort inside of the TLS WG?  If it does, will the WG give us the time,
>>> mindshare, and cycles to focus on it (just asking the hard question)?
>> 
>> In August we adopted the draft, so the answer is "Yes".
>> 
>> -tom
>

v2.23.0 | Report a Bug | By Email