IETF Logo Mail Archive

[TLS] Encrypted hellos (was Re: "Encrypted" SNI)

Dave Garrett <davemgarrett@gmail.com> Sat, 13 May 2017 03:01 UTC

Return-Path: <davemgarrett@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BF67112942F for <tls@ietfa.amsl.com>; Fri, 12 May 2017 20:01:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id trnOkor3SP5D for <tls@ietfa.amsl.com>; Fri, 12 May 2017 20:01:55 -0700 (PDT)
Received: from mail-qk0-x232.google.com (mail-qk0-x232.google.com [IPv6:2607:f8b0:400d:c09::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 240431293FD for <tls@ietf.org>; Fri, 12 May 2017 19:58:52 -0700 (PDT)
Received: by mail-qk0-x232.google.com with SMTP id y201so61648066qka.0 for <tls@ietf.org>; Fri, 12 May 2017 19:58:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:subject:date:user-agent:cc:references:in-reply-to :mime-version:content-transfer-encoding:message-id; bh=n4r+Y+GSXfHWVMfWeraWL8r3J5iKZq8ekRO9CE5U8bw=; b=vcBj3xQHsUGMq2qFwmU2zPz22Me5gvkWKUsZoR2Wb31moxBkaapNykqhfZcI33xIzl AA2qBHwroe7i0AqAiJN60nmFwD79zJLU+57EhUI7Uhapi7nAa1tQ+9ThIG8YhqYdVK23 ++PdpXQLtId1lhn8HOsco66vwu4oJl661o1rsqtND4UqQrME90NhhBGl6dwsMgZvlgCv MYflH+gh2aCj0S3VgRRhs66PeE9pTcCQvBCz339+na3KSIQJfo5SBJHkwtREZck7wpkc hc8NgfCUHQQ81yHEOgS3GcIHY+ZSRA9nzk5Xt0VV5RkNh63RIuYm296SAnNwN3d7tHoH oY6w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:user-agent:cc:references :in-reply-to:mime-version:content-transfer-encoding:message-id; bh=n4r+Y+GSXfHWVMfWeraWL8r3J5iKZq8ekRO9CE5U8bw=; b=tEA1PepJWxyfjuujI6cYtvolp3e1GoEd+lKpXxjtKiS/Bi17uxzyVzd4r7t0Wkuq5f dgawTVipyCS6TL4NyvmTgmjyhUYY0orh4ylYtdpsO+5L7VNaNXEMuT1RGDa3S2wt+QJ2 EHx+2N53ULe0PjmGQEZCEWS41SEb0BiCKOAa5mLgvHSLQv7pjpQiymlZWZHajJgNnUP7 Letr8q3mgluja7iPvCQHZpyzDNJEGlZOkLIA0Pc+Zjv48H9hW+pahFsEleFn75GNdQQo iTo8nCyyzD/Mb+HHuhRXC+gua4qQ8+91tkdSyUEXBg+TFEScPxSxqfuSIs/JQGLeqizA g39g==
X-Gm-Message-State: AODbwcAqBu80+tvOTT/FFZVK6oqg08NDV4YQ+0MpTUIlXf9yG1Ht3clU cMZ9ReH/gDNsMQ==
X-Received: by 10.55.90.199 with SMTP id o190mr2285883qkb.120.1494644331211; Fri, 12 May 2017 19:58:51 -0700 (PDT)
Received: from dave-laptop.localnet (pool-71-185-36-197.phlapa.fios.verizon.net. [71.185.36.197]) by smtp.gmail.com with ESMTPSA id f201sm2223196qka.59.2017.05.12.19.58.50 (version=TLS1 cipher=AES128-SHA bits=128/128); Fri, 12 May 2017 19:58:50 -0700 (PDT)
From: Dave Garrett <davemgarrett@gmail.com>
To: tls@ietf.org
Date: Fri, 12 May 2017 22:58:48 -0400
User-Agent: KMail/1.13.5 (Linux/2.6.32-74-generic-pae; KDE/4.4.5; i686; ; )
References: <3768598.32hupQ9b2b@pintsize.usersys.redhat.com> <b117285e-4820-3ed8-9eb8-0f0d09e17f09@huitema.net> <87ziekihp6.fsf@fifthhorseman.net>
In-Reply-To: <87ziekihp6.fsf@fifthhorseman.net>
MIME-Version: 1.0
Content-Type: Text/Plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <201705122258.49117.davemgarrett@gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/vLHWekAfcI6bKfiiSLUBgwIc54Q>
Subject: [TLS] Encrypted hellos (was Re: "Encrypted" SNI)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 13 May 2017 03:01:57 -0000

On Wednesday, May 10, 2017 03:28:48 pm Ilari Liusvaara wrote:
> On Wed, May 10, 2017 at 07:28:51PM +0200, Hubert Kario wrote:
> > Yes, encrypted SNI was discussed and ultimately rejected.
> > 
> > But do we really have to send the literal value? Don't we need to just make 
> > sure that the client and server agree on the host that the client wants to 
> > connect?
> > 
> > Couldn't we "encrypt" the SNI by hashing the host name with a salt, sending 
> > the salt and the resulting hash, making the server calculate the same hash 
> > with each of the virtual host names it supports and comparing with the client 
> > provided value?
> 
> What makes encrypting SNI nasty is replay attacks.
> 
> There also was proposal for putting SNI mapping into DNS (which limits the
> leakage if DNS lookups are private). However, I came up with a way to use
> that to attack HTTPS (the usual "default vhost" attacks).

On Wednesday, May 10, 2017 04:24:05 pm Daniel Kahn Gillmor wrote:
> On Wed 2017-05-10 12:12:34 -0700, Christian Huitema wrote:
> > It certainly was. But then the clear text SNI is a gaping privacy hole
> > in TLS, the kind of issue that should keep us awake at night until it is
> > resolved. We need to make sure that we make progress, rather than rehash
> > the old arguments. Maybe we should invest some time and document the
> > various proposals in a draft. I am willing to work on that. Any other
> > volunteers?
> 
> I agree with Christian's assessment of the problem, and i'd be
> interested in collaborating on such a draft.
> 
> The DNS folks are making strides to protect name information (the other
> main place where this kind of data is leaking).  TLS needs to keep up.

Encrypted SNI has been talked to death, and coming up with new schemes that warrant air quotes in the subject around "encrypted" feels like a waste of time. Wouldn't it be better to just focus on finishing the encrypt-all-the-things approach and plan out a way to distribute a host DH key (+ a few params, e.g. port(s)+protocol(s) to use with encrypted hellos) via DNS to encrypt everything straight from the ClientHello? Stick a supported_groups in there as well and we can make HRR unneeded while we're at it. This would also protect against 3rd parties attempting to fingerprint clients via ClientHello parameters. (probably a few other things that could be listed that could be helped, too)

Simply put, some of us were convinced a while ago that encrypted SNI isn't nearly as useful as it first seems, however fully encrypted hellos address that problem and more. I think it'd be better to work towards a more complete solution here than just worrying about SNI.


Dave

v2.23.0 | Report a Bug | By Email