Re: [TLS] Encrypted SNI

Dave Garrett <> Sun, 06 December 2015 07:42 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 988041A1AFC for <>; Sat, 5 Dec 2015 23:42:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 8uT2tJy9p3oI for <>; Sat, 5 Dec 2015 23:42:54 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:400d:c04::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 551621A1ADC for <>; Sat, 5 Dec 2015 23:42:54 -0800 (PST)
Received: by qgec40 with SMTP id c40so122235761qge.2 for <>; Sat, 05 Dec 2015 23:42:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=from:to:subject:date:user-agent:cc:references:in-reply-to :mime-version:content-type:content-transfer-encoding:message-id; bh=iZ3+D0egYAqgIfFs/nLvcW0Yx3VRHTSKiJw9oYHHCY0=; b=UqcvQ51pFUFSP8Yta0LHtSmUYfnaDeWSTMtNpvd/j4dlT2sVd66XbmIKMV4Akja9Ae CwJgviD5cXBqeDR1hMvhxFOMe1fp2p0YAboC1dCqaShTeHv0sfmoWya4p2lgsI6rGznF n8uonvyXjyR/G+FMaOpi57F4SMIhlNHFYfD3cuqhdoOzN/D9HKu26tmh30kqCE6pScSr 9iP0qO084yoHdrfl4InV3RmxAPrOCSizp9rpZQpqEbu3FOhTbhmmjCB25mpqUFysKe0l e8uc3kndxb1Th1O0uHWKjuSSeWHC6uwnsCiAnN8JbeiMq2ROY1nYk0fzWfFn8XG9JA1H ttYg==
X-Received: by with SMTP id d62mr30993635qhc.27.1449387773598; Sat, 05 Dec 2015 23:42:53 -0800 (PST)
Received: from dave-laptop.localnet ( []) by with ESMTPSA id j89sm9173355qgj.35.2015. (version=TLS1 cipher=AES128-SHA bits=128/128); Sat, 05 Dec 2015 23:42:53 -0800 (PST)
From: Dave Garrett <>
Date: Sun, 06 Dec 2015 02:42:51 -0500
User-Agent: KMail/1.13.5 (Linux/2.6.32-74-generic-pae; KDE/4.4.5; i686; ; )
References: <> <>
In-Reply-To: <>
MIME-Version: 1.0
Content-Type: Text/Plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Message-Id: <>
Archived-At: <>
Subject: Re: [TLS] Encrypted SNI
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 06 Dec 2015 07:42:55 -0000

On Saturday, December 05, 2015 08:58:58 pm Salz, Rich wrote:
> Can we embed an EncryptedExtension inside an existing EE?  That would let us do TOR purely within TLS, right?

If clients are allowed to send any encrypted extensions other than the tunneling extension (that contains the tunneled hello), then we would have to allow sending an EncryptedExtension through it, otherwise tunneled peers would have less capabilities than non-tunneled. I don't see anything in this design that would prohibit recursively doing this as many times as desired. (e.g. tunnel of a tunnel of a tunnel of a...) That does sound somewhat TOR-like, though obviously, lots more would be needed to actually do anything with that. If this can actually be done, it sounds very promising.