IETF Logo Mail Archive

Re: [TLS] About encrypting SNI

"Sniffen, Brian" <bsniffen@akamai.com> Mon, 14 April 2014 20:38 UTC

Return-Path: <bsniffen@akamai.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B7B841A06F9 for <tls@ietfa.amsl.com>; Mon, 14 Apr 2014 13:38:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.172
X-Spam-Level:
X-Spam-Status: No, score=-2.172 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.272] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uZdUC13ZHhp4 for <tls@ietfa.amsl.com>; Mon, 14 Apr 2014 13:38:27 -0700 (PDT)
Received: from prod-mail-xrelay06.akamai.com (prod-mail-xrelay06.akamai.com [96.6.114.98]) by ietfa.amsl.com (Postfix) with ESMTP id D309F1A06E7 for <tls@ietf.org>; Mon, 14 Apr 2014 13:38:26 -0700 (PDT)
Received: from prod-mail-xrelay06.akamai.com (localhost.localdomain [127.0.0.1]) by postfix.imss70 (Postfix) with ESMTP id 2856A1655CB; Mon, 14 Apr 2014 20:38:24 +0000 (GMT)
Received: from prod-mail-relay08.akamai.com (unknown [172.27.22.71]) by prod-mail-xrelay06.akamai.com (Postfix) with ESMTP id 136921655C9; Mon, 14 Apr 2014 20:38:24 +0000 (GMT)
Received: from usma1ex-cashub.kendall.corp.akamai.com (usma1ex-cashub6.kendall.corp.akamai.com [172.27.105.22]) by prod-mail-relay08.akamai.com (Postfix) with ESMTP id E4BA19803E; Mon, 14 Apr 2014 20:38:23 +0000 (GMT)
Received: from USMBX1.msg.corp.akamai.com ([172.27.107.26]) by USMA1EX-CASHUB6.kendall.corp.akamai.com ([172.27.105.22]) with mapi; Mon, 14 Apr 2014 16:38:22 -0400
From: "Sniffen, Brian" <bsniffen@akamai.com>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Mon, 14 Apr 2014 16:38:21 -0400
Thread-Topic: [TLS] About encrypting SNI
Thread-Index: Ac9YIXnLs1knShYrSpStmfpuoDN2gg==
Message-ID: <474FAE5F-DE7D-4140-931E-409325168487@akamai.com>
References: <2A0EFB9C05D0164E98F19BB0AF3708C7120A04ED40@USMBX1.msg.corp.akamai.com> <534C3D5A.3020406@fifthhorseman.net>
In-Reply-To: <534C3D5A.3020406@fifthhorseman.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/signed; boundary="Apple-Mail=_21F8FD2D-D245-471A-A4E0-545A2097865D"; protocol="application/pgp-signature"; micalg="pgp-sha1"
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/vqb_BWU-uCkX7g8jkRWrKqzQKMo
Cc: "TLS@ietf.org (tls@ietf.org)" <tls@ietf.org>
Subject: Re: [TLS] About encrypting SNI
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Apr 2014 20:38:31 -0000

On Apr 14, 2014, at 3:56 PM, Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote:

>> encrypting SNI requires us to either have a single long-lived keypair for all customers, or require an extra RTT for clients to fetch an EDH key, perhaps still shared, but hopefully more secure. The latter is particularly off-putting since customers paying for a "faster, better" end-user experience are now at a disadvantage. Some in this community might not deploy TLS 1.3 to avoid the "retry penalty." This would be a shame.
> 
> The discussion of possible handshake flows suggests that the extra RTT
> does not need to be in every handshake; several proposals for
> "semi-static" DHE keys have been put forward already, and
> second-connections need not have the extra RTT.
> 
> Depending on how we define the mechanism, the initial SNI-protecting DHE
> key could even be per-IP address, rather than per-domain, which would
> allow further reductions in RTT for sites hosted on large farms with a
> few public-facing IP addresses.

More narrowly to that point:

We are in a historically rare position of having one suite of generally-agreed good crypto: ECDHE, ECDSA*, AES, SHA2.  That hasn't been true most days since the creation of SSL; we've wondered about export vs. not, 3DES vs RC4, DSA vs RSA, and so on.  We're probably going to end up in that conflicted and confused world again, in which reasonable people can disagree about their cipher suite choices.  Encrypted SNI means that every site on an address must agree on certain parts of their cipher suite.

In a world where I'd like to operate a backwards-compatible site for vehicle firmware upgrades, prominent social media sites, and mobile app back-ends off of one address, that means I'm stuck!  I expect to see that around ECDSA (required by governments) vs. Ed25519 (required by those frightened by governments), AES (for GCM to computers > 1 kg) vs. ChaCha (for Poly1305-AEAD to computers < 1 kg), and similar.  

I don’t see a path to low-RTT protection of the host identity that doesn’t require all hosts in an identity-group to share their cryptographic politics on many dimensions.  And at that point, I can’t tell whether you’re talking to HRW or AI, but if you’re doing it from Tibet, you’re dead anyway.

-Brian

* With carefully chosen nonces

v2.23.0 | Report a Bug | By Email