Re: [TLS] Encrypted SNI

Eric Rescorla <ekr@rtfm.com> Sun, 06 December 2015 03:31 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 59DE21B29CF for <tls@ietfa.amsl.com>; Sat, 5 Dec 2015 19:31:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tEpTvAk5YDBi for <tls@ietfa.amsl.com>; Sat, 5 Dec 2015 19:31:47 -0800 (PST)
Received: from mail-yk0-x22a.google.com (mail-yk0-x22a.google.com [IPv6:2607:f8b0:4002:c07::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3AAAE1B29C7 for <tls@ietf.org>; Sat, 5 Dec 2015 19:31:47 -0800 (PST)
Received: by ykdv3 with SMTP id v3so162815482ykd.0 for <tls@ietf.org>; Sat, 05 Dec 2015 19:31:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=9kwpRWVnyW0bLqPu7JBFzvcYC4k4JklcP4H+Uy1HC/E=; b=SezHM4s3o675nHMMHalt0x7nmGwncaGeJ80qrelqayTIQokVPLOKntU3ZMXVaQBHsQ aqXz54VZB87aIdiQNHKI5cIF8OgtoRDZOVf49ZLpZELlKu5YfcQuvzfU3amKr+Nj+QGm Ng+FCLy4jl+ytkrnG2iWo42HwiIeHgn5jx46J4/mM9OHenLjSfVH8ijP8731rTWsvaM1 4QolaDnX/qaGKJp6Vx1atnQziCxsLaMD6bRD863k3Epmj15o7udb1g37yge6fbxpNRYL ddRrC9wHLt4kXf07v/uGveSqo5ypj5JJrhZ1bjF5X5/Goh8FSKVR/mDsJug3iU0DCgSu RbJA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=9kwpRWVnyW0bLqPu7JBFzvcYC4k4JklcP4H+Uy1HC/E=; b=nFh0pCXtOSHM8MwU19IcO3uX2oHU1Mg4mws2ZWBEePP4gaGP3WHbvbWEv3Z2IhXVRg hfLti3b53HI1EuoIuMifEZsM3AcC1FLnuUFu8zfY9MRCH0gIetnYWInN7mF/f52Q0M80 O7LjJOy6XV78/m7Hd3sLduunTtbJL1oUXnuGtT0d4jhadflT0bpiMeJmy+4gxYUEha3N qh7CG3xtignI4QbOUSUAPsUfQd+8V3ymiWnrsnGadpLYJgHMjPRpZwpy013BIvmZPf62 dgFD0GVstiS3WrIUf3WEpQ1eyt2KlMfG8u5+UKitp5LkyVM5CBzHIvVdY5QMSLSNBPPa 4jXw==
X-Gm-Message-State: ALoCoQnpcPVfRfGeeO+f5kwBDiRKBW/5phHduHGiyNxC7/rVw96cABMvqOcDbKAVa+JMW86k6oCJ
X-Received: by 10.129.73.198 with SMTP id w189mr19202497ywa.223.1449372706423; Sat, 05 Dec 2015 19:31:46 -0800 (PST)
MIME-Version: 1.0
Received: by 10.13.249.197 with HTTP; Sat, 5 Dec 2015 19:31:06 -0800 (PST)
In-Reply-To: <CA+cU71kqqTUnU7U-GN4s8a4YON27MEWxUN+CyiSCyUDpE+cgwA@mail.gmail.com>
References: <CABcZeBPFAp4hD3ykY9pAA4=ELsAkNoa2yDhaoiSP917v5XgAiw@mail.gmail.com> <CA+cU71kqqTUnU7U-GN4s8a4YON27MEWxUN+CyiSCyUDpE+cgwA@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Sat, 5 Dec 2015 19:31:06 -0800
Message-ID: <CABcZeBNOBVwU4GU1HdJHdX1EhWqaS8UQ31D6ZqEoyWKfTb6Xkg@mail.gmail.com>
To: Tom Ritter <tom@ritter.vg>
Content-Type: multipart/alternative; boundary=001a114dc81450786205263261d3
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/zC6hHVTxxiZLG0BfrQyiE2AYzbE>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Encrypted SNI
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 06 Dec 2015 03:31:48 -0000

On Sat, Dec 5, 2015 at 7:06 PM, Tom Ritter <tom@ritter.vg> wrote:

> On 5 December 2015 at 12:32, Eric Rescorla <ekr@rtfm.com> wrote:
> > Subject: SNI Encryption Part XLVIII
>
> A small concern that probably is "No, that can't happen", but I would
> want to be sure that a normal (non-encrypted SNI) ClientHello would be
> unable to be wrapped in a new ClientHello to a gateway by a MITM
> (without being detected.)
>

That would certainly be consistent with the proposed design. Why is that
bad?


Also, I'm a little confused about what the client is supposed to put
> in the outer SNI (for the gateway). Is this blank? Some constant?


Whatever SNI you would use to talk to the gateway ordinarily. Otherwise
you would have a distinguisher.



> Does
> this change at all in the simple deployment situation when there is no
> gateway involved, and everything sits on the same server?
>

No.

-Ekr

>
>