IETF Logo Mail Archive

Re: [TLS] New Draft: Using DNS to set the SNI explicitly

mrex@sap.com (Martin Rex) Fri, 10 March 2017 08:25 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 56D701294FA for <tls@ietfa.amsl.com>; Fri, 10 Mar 2017 00:25:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.921
X-Spam-Level:
X-Spam-Status: No, score=-6.921 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URI_TRY_3LD=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ymVg3qaIIpjz for <tls@ietfa.amsl.com>; Fri, 10 Mar 2017 00:25:43 -0800 (PST)
Received: from smtpde02.smtp.sap-ag.de (smtpde02.smtp.sap-ag.de [155.56.68.140]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7DDAC1293D9 for <tls@ietf.org>; Fri, 10 Mar 2017 00:25:43 -0800 (PST)
Received: from mail07.wdf.sap.corp (mail04.sap.corp [194.39.131.56]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtpde02.smtp.sap-ag.de (Postfix) with ESMTPS id 3vfgLs4bJDz264p; Fri, 10 Mar 2017 09:25:41 +0100 (CET)
X-purgate-ID: 152705::1489134341-00002B31-0EE1FE8F/0/0
X-purgate-size: 2766
X-purgate: clean
X-purgate: This mail is considered clean (visit http://www.eleven.de for further information)
X-purgate-Ad: Categorized by eleven eXpurgate (R) http://www.eleven.de
X-purgate-type: clean
X-SAP-SPAM-Status: clean
Received: from ld9781.wdf.sap.corp (ld9781.wdf.sap.corp [10.21.82.193]) by mail07.wdf.sap.corp (Postfix) with ESMTP id 3vfgLs2DyRzGnwL; Fri, 10 Mar 2017 09:25:41 +0100 (CET)
Received: by ld9781.wdf.sap.corp (Postfix, from userid 10159) id 4112D1A63F; Fri, 10 Mar 2017 09:25:41 +0100 (CET)
In-Reply-To: <CAHbrMsA=Wk+6U+yLvtY-TNaYbt-UYy4u9+m2fgBSsvF9Es491Q@mail.gmail.com>
To: Ben Schwartz <bemasc@google.com>
Date: Fri, 10 Mar 2017 09:25:41 +0100
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20170310082541.4112D1A63F@ld9781.wdf.sap.corp>
From: mrex@sap.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/y4RAURGFHJ_FIuxjyG8H0-iWKr0>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] New Draft: Using DNS to set the SNI explicitly
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Mar 2017 08:25:45 -0000

Ben Schwartz wrote:
> Martin Rex <mrex@sap.com> wrote:
> 
>>Ben Schwartz wrote:
>>>
>>> Like a lot of people here, I'm very interested in ways to reduce the
>>> leakage of users' destinations in the ClientHello's cleartext SNI.  It
>>> seems like the past and current proposals to fix the leak are pretty
>>> difficult, involving a lot of careful cryptography and changes to clients
>>> and servers.
>>
>> It is formally provable that there is no solution to the problem
>> that you're describing.
> 
> Perhaps I'm not trying to solve the problem that you're thinking of?
> 
> Here's an example:
> Wordpress.com uses HTTPS, with a wildcard certificate (*.wordpress.com) for
> all its hosted blogs, which have domains of the form
> myblogname.wordpress.com.  A passive adversary watching traffic to
> Wordpress.com can currently determine which blog each client IP address is
> accessing by observing the IP source address and the TLS SNI in the
> ClientHello message.
> 
> With this proposal, if Wordpress were to set an SNI DNS record on each
> subdomain, with empty RDATA, compliant clients would omit SNI when
> contacting the Wordpress server.  Connections would still work fine, but
> the passive adversary would no longer know which client is accessing which
> blog.
> 
> Is there something wrong with this example that I am missing?

You don't understand the purpose of SNI and how the (already weak)
rfc2818 section 3.1 server endpoint identification and CABrowser Forum
public CA Domain validation has been designed to work.


Wordpress.com isn't using SNI at all, so the ultimate solution
would be for the client to entirely omit SNI from ClientHello.

wordpress itself could achieve just the same by using URLs
of the kind

   blogs.wordpress.com/blogname with a cert issued to blogs.wordpress.com

rather than

   blogname.wordpress.com with a cert issued to *.wordpress.com


You might want eventually want to check with the logging functionality
of Adblockers (such as uBlock) or browser plugins like "Collusion", to how
many different servers & domains a typical server (including *.wordpress.com)
publishes (HTTP-Referer) where the user just went.


The decision to register a distinct & seperate name in DNS is an explicit
and obvious desire to **PUBLISH** this information.  If you do not want
to publish information, DO NOT REGISTER it in the DNS, so that it will
and it will never appear in SNI, in DNS lookups, or in DV-validation
request for obtaining a TLS server cert from a public CA.



Btw. your adversary will see the cleartext DNS lookup prior to the
TLS handshake, and tell accesses to multiple different blogs apart by
looking at the size of the responses.

-Martin

v2.23.0 | Report a Bug | By Email