Re: [TLS] ESNI: Tracking and blocking via record_digest

Rob Sayre <sayrer@gmail.com> Tue, 26 November 2019 03:47 UTC

Return-Path: <sayrer@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 928A1120013 for <tls@ietfa.amsl.com>; Mon, 25 Nov 2019 19:47:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nqmHbEJ838WX for <tls@ietfa.amsl.com>; Mon, 25 Nov 2019 19:47:35 -0800 (PST)
Received: from mail-il1-x130.google.com (mail-il1-x130.google.com [IPv6:2607:f8b0:4864:20::130]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BFBD9120143 for <tls@ietf.org>; Mon, 25 Nov 2019 19:47:35 -0800 (PST)
Received: by mail-il1-x130.google.com with SMTP id v17so12445180ilg.7 for <tls@ietf.org>; Mon, 25 Nov 2019 19:47:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=+pUGMXSRpiuuj6TbF8wQb0I4yWE0ho5SPuydZAM7UH8=; b=n7l37kjq3zRXVamR4zHiDE0zzqw1b9u+nqgWwTjRT7Wtmvhp9iGhkKpiUosrfCdgaY DwYM1HSSAeWIrX4IGQ650B/Wc1dqlkekVfy2vnsKWbHnxAHjSkIsLQ8DXom+lpdGc4Ix UJ/A2WhgymIZ2KloyrBoRhIPry5/nFz2/uYFZ1TwZSG5L0sHPh1Muz1QZTSLWkEl0V9x 9zDhqsCGZ6ObnoFpE5w2TDBuUmuTNA/dYp6JjW7EyK/nr28rqEC6Cb8wdGCSHwuiRp/s KvMN+cYqjW+hr04jXSx1z7xkhws7Kt61i9d9d8IOJ+/DokhLDb1z0vjc0nIRlGn9v1+v Mm8g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=+pUGMXSRpiuuj6TbF8wQb0I4yWE0ho5SPuydZAM7UH8=; b=dDmfXYuDCnW+Rk7YJxqjn2+Sl0Rn40O/45AIaDg3fjaMOIyugENEutcDD3Y8915+3W HuyOI3oiERLcXLzuZaVUN9bEWnEtuuV8N7ZWXpNl9N8x0BgN5GggK//iXYZ3uCAhRY0/ JSvkUZ4mJjkzWFblSeBnOCY+eqQCMY3N1kTR7vB/Pous34BGDKKuO44Yhk05+VGTobDV xn3848b7hub82oV+tbAyNK3Hs/W94In+RUYdlnk59D6MEss7CzBJGIzEkp7Cfiqx00Rs UNklgcEDzjvufIYOkRJCwMe8YlKPstzNRH4MFE8VX2WJdQF0x0kLplh3vDgt7+/ADGZO 8vjA==
X-Gm-Message-State: APjAAAW2RHvaUnViRnBrrYIb1aBoa/vHy00a2lJVZM55CVWG6bWRBOPC YCYvEnGdcoPeHaX3byx/10L8R/RZwFvmWilWraE=
X-Google-Smtp-Source: APXvYqyx+ZJKI9Skrpo6tALGQ6L+HtXaJuIv7GeHm1wdrToJAm4suGmFwoXOshxWtQZ21+SWYkVqJx0LROQ2DDHZx/M=
X-Received: by 2002:a92:8394:: with SMTP id p20mr37625633ilk.73.1574740054886; Mon, 25 Nov 2019 19:47:34 -0800 (PST)
MIME-Version: 1.0
References: <CAChr6Sxm3fcZUxm8XwZ-UzvxTMxK8TfyK7JBonz8MG2LMpRGjw@mail.gmail.com> <CAHbrMsC8=5fKmmKaNSPiZY42vLmfVLdUYNiwWqox3jJ0H53bxg@mail.gmail.com> <CAChr6SzTL4JLiO6H=6MiPO_eJBKHQVEvv-HWsFcHS+uVAPHybA@mail.gmail.com> <7424f46b-94e7-02ea-61ae-371d2de9b935@huitema.net>
In-Reply-To: <7424f46b-94e7-02ea-61ae-371d2de9b935@huitema.net>
From: Rob Sayre <sayrer@gmail.com>
Date: Mon, 25 Nov 2019 19:47:23 -0800
Message-ID: <CAChr6Sxa_2P9j6YKWXaz1Hxdf6sC08aFmXt-7+scOawL7Ls8Dg@mail.gmail.com>
To: Christian Huitema <huitema@huitema.net>
Cc: Ben Schwartz <bemasc@google.com>, "TLS@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000095cd10059837bd19"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/xGvmL4t6mfYoP41-TAHxJ4YRTQk>
Subject: Re: [TLS] ESNI: Tracking and blocking via record_digest
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Nov 2019 03:47:37 -0000

Yes, and this concern is covered well by the draft in GitHub, imho.

thanks,
Rob

On Mon, Nov 25, 2019 at 7:33 PM Christian Huitema <huitema@huitema.net>;
wrote:

> Actually there is one use case in which the anonymity set is size 1 --
> mobile servers. The name of the mobile server cannot be deduced from its
> temporary address. It can also not be deduced from the ESNI. But it can be
> deduced from the record digest. The mobile server who wants to maintain
> privacy will want to use ESNI without a record digest,  at the cost of
> course of trial decryption.
>
>
> -- Christian Huitema
> On 11/26/2019 4:37 AM, Rob Sayre wrote:
>
> You're right, this is all there in the draft. It's just scattered around a
> bit, and "anonymity set" is used only once and not defined.
>
> I filed an issue https://github.com/tlswg/draft-ietf-tls-esni/issues/204
> in case the editors want to consolidate text on this concern.
>
> thanks,
> Rob
>
>
> On Mon, Nov 25, 2019 at 11:25 AM Ben Schwartz <bemasc@google.com>; wrote:
>
>> The record_digest, like the ESNIConfig itself, is intended to be constant
>> across all domains that form an anonymity set (i.e. O(1) ESNIConfigs per
>> CDN).  Thus, the record_digest reveals no additional information to an
>> onlooker who can observe the server IP.
>>
>> On Mon, Nov 25, 2019 at 2:03 PM Rob Sayre <sayrer@gmail.com>; wrote:
>>
>>> Hi,
>>>
>>> I see the issue of tracking and blocking via record_digest has come up a
>>> few times in the github repository, but I don't understand the resolution.
>>>
>>> If someone wanted to observe or block traffic to "example.com",
>>> couldn't they retrieve the ESNI keys, calculate the record_digest
>>> themselves, and then use that to spot traffic to "example.com"?
>>>
>>> Is the idea that DNS providers will vary the shared keys?
>>>
>>> thanks,
>>> Rob
>>>
>>> _______________________________________________
>>> TLS mailing list
>>> TLS@ietf.org
>>> https://www.ietf.org/mailman/listinfo/tls
>>>
>>
> _______________________________________________
> TLS mailing listTLS@ietf.orghttps://www.ietf.org/mailman/listinfo/tls
>
>