Re: [TLS] draft-ietf-tls-esni feedback

Ben Schwartz <bemasc@google.com> Tue, 22 October 2019 14:56 UTC

MIME-Version: 1.0
References: <CAChr6Sw3f7du3JYxfcWSZje1zjDzsRBQyDjob-AvzjWeZzKW7g@mail.gmail.com> <CABcZeBPbw_KOo_ieSqkksYPeLtb9DufBz628oFPYc_Ue4S9iww@mail.gmail.com> <CAChr6SwB+7Jt2TLJSQh3q=Roizdt2=9jCBa9nq8KRxRo=86uZQ@mail.gmail.com> <CABcZeBNBtDK7q175tseEUiCVds=khj4xXYJZRf7GU9VGNDJ_Tg@mail.gmail.com> <CAChr6Sz6xHtFWjOKrLp3sp9MpC-SoU9Sx=vk22ditjShA7B=Kg@mail.gmail.com> <CABcZeBOnE+gyNu7GarAfO0bptoPfzQQ=VKeWLdpJBDM=E4yhzg@mail.gmail.com> <CAChr6SxWE66jPRbnBRtwNSn3L+uNFkoFBbYNOBAkKDN05qotoA@mail.gmail.com> <CABcZeBOy8ogJrmFajxX1pqjqgnE61gE=c3CWz+pp34NWHmGKbw@mail.gmail.com> <03e15760-dfce-cd7b-baea-56ac70d92192@cs.tcd.ie> <CAChr6SzmpSn3Q8tBi+Pdc+Bq7stiukbufbh-jDt+AEtrkV8XGg@mail.gmail.com> <f87c2916-d03d-2715-7b36-7b70fead8df4@cs.tcd.ie> <CAChr6SxfT0ed5J89siGX23A0G77BJQWxFRDoJ1w0v7=5O0KERw@mail.gmail.com> <8063bb12-8462-53fa-fa62-1e5abb1a652e@cs.tcd.ie> <CAHbrMsBPJqzaUSa42gGq45MfsTvCVW7t95q3feWEiSYeSN9ocw@mail.gmail.com> <333fde42-76f9-1af3-0f0f-c70914b0222e@cs.tcd.ie>
In-Reply-To: <333fde42-76f9-1af3-0f0f-c70914b0222e@cs.tcd.ie>
From: Ben Schwartz <bemasc@google.com>
Date: Tue, 22 Oct 2019 10:56:05 -0400
Message-ID: <CAHbrMsA0PFwvu3hvZgXMbe2Buzq9dQHgNJJLOqtyMUzb-qpc0A@mail.gmail.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Cc: Rob Sayre <sayrer@gmail.com>, "TLS@ietf.org" <tls@ietf.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="000000000000b16486059581007b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/zhIk6n_tGtzZrzuJInTvUXZTev4>
Subject: Re: [TLS] draft-ietf-tls-esni feedback
Precedence: list

On Tue, Oct 22, 2019 at 4:21 AM Stephen Farrell
<stephen.farrell@cs.tcd.ie> wrote:
>
>
> Hiya,
>
> On 22/10/2019 04:27, Ben Schwartz wrote:
> > Note that the current text in the editors' draft says that when
> > applying GREASE, "The padded_length value SHOULD be 260 or a multiple
> > of 16 less than 260.".  We don't need GREASE to send 260 all the time,
> > and the draft doesn't recommend it.
>
> ISTM that GREASE needs to follow the kinds of lengths
> used in practice to be most useful, so if 260 does get
> widely used, then I guess that's what'd be most useful
> to GREASE.

Agreed.  (Although the details of this are potentially tricky, like
whether the random length can be sticky without accidentally labeling
the user.)

> > Personally, I expect that 260 will be rare for real deployments,
> > because most systems serve a fixed, known set of domains, and those
> > that serve a large, dynamic set probably already impose a tighter
> > length limit.
>
> I don't know of any hoster or service with such a name
> length limit. Do you have any example where a DNS name
> that can be published and used as a TLS SNI would be
> declined by a service provider?

Sure.  For example, tumblr limits usernames to 32 characters:
https://unwrapping.tumblr.com/post/58535402323/tips-tumblr-username

These usernames also form the subdomain part of the *.tumblr.com
wildcard, so the longest allowed name is [32 chars].tumblr.com.

I expect that most wildcard TLS hosts impose similar limits.

> > One intriguing alternative would be to define some ESNI ciphersuites
> > that encrypt a strong hash of the name.  Then a server with a large
> > but finite name database can choose one of these ciphersuites,
> > pre-compute hashes for names when entering them into the DB, and
> > quickly invert incoming hashes with a DB lookup.  I wouldn't want to
> > make this the only option because it can't support true wildcard
> > servers, but I think it would cover most potential users while
> > limiting the length to 32 octets or similar.
>
> Yeah, that'd be nice but as you say doesn't work well
> for wildcard certs, which I think is a showstopper.

I don't think it's quite that bad.  For example, this approach would
work fine for tumblr in principle.  Any hash corresponding to a name
that exists can be inverted from their database.  Any hash
corresponding to a name that doesn't exist will return the default
cert, which still covers *.tumblr.com.

The case where this doesn't work is when multiple wildcard domains
share an IP but not a certificate.  That seems most likely in a CDN
context, where multiple wildcard customers could be sharing an IP and
providing their own certificates.  If the CDN's operational
architecture allows pushing all wildcard customers into a single
certificate, the limiting factor becomes the number of names allowed
in one certificate.

> I
> do think there are other algorithmic options we could
> go with though, that would work.

I suppose a server could indicate that the first N labels be included
verbatim, and the remainder should be hashed.  Or maybe it should only
be hashed if it's longer than the hash size ... there are all sorts of
options here.

>
> Cheers,
> S.
>
>

Attachment: smime.p7s

[TLS] draft-ietf-tls-esni feedback Rob Sayre
Re: [TLS] draft-ietf-tls-esni feedback Eric Rescorla
Re: [TLS] draft-ietf-tls-esni feedback Rob Sayre
Re: [TLS] draft-ietf-tls-esni feedback Eric Rescorla
Re: [TLS] draft-ietf-tls-esni feedback Rob Sayre
Re: [TLS] draft-ietf-tls-esni feedback Eric Rescorla
Re: [TLS] draft-ietf-tls-esni feedback Rob Sayre
Re: [TLS] draft-ietf-tls-esni feedback Eric Rescorla
Re: [TLS] draft-ietf-tls-esni feedback Rob Sayre
Re: [TLS] draft-ietf-tls-esni feedback Stephen Farrell
Re: [TLS] draft-ietf-tls-esni feedback Christian Huitema
Re: [TLS] draft-ietf-tls-esni feedback Rob Sayre
Re: [TLS] draft-ietf-tls-esni feedback Stephen Farrell
Re: [TLS] draft-ietf-tls-esni feedback Rob Sayre
Re: [TLS] draft-ietf-tls-esni feedback Stephen Farrell
Re: [TLS] draft-ietf-tls-esni feedback Eric Rescorla
Re: [TLS] draft-ietf-tls-esni feedback Stephen Farrell
Re: [TLS] draft-ietf-tls-esni feedback Eric Rescorla
Re: [TLS] draft-ietf-tls-esni feedback Rob Sayre
Re: [TLS] draft-ietf-tls-esni feedback Eric Rescorla
Re: [TLS] draft-ietf-tls-esni feedback Rob Sayre
Re: [TLS] draft-ietf-tls-esni feedback Stephen Farrell
Re: [TLS] draft-ietf-tls-esni feedback Eric Rescorla
Re: [TLS] draft-ietf-tls-esni feedback Patrick McManus
Re: [TLS] draft-ietf-tls-esni feedback Rob Sayre
Re: [TLS] draft-ietf-tls-esni feedback Ben Schwartz
Re: [TLS] draft-ietf-tls-esni feedback Stephen Farrell
Re: [TLS] draft-ietf-tls-esni feedback Ben Schwartz
Re: [TLS] draft-ietf-tls-esni feedback Stephen Farrell
Re: [TLS] draft-ietf-tls-esni feedback Rob Sayre
Re: [TLS] draft-ietf-tls-esni feedback Salz, Rich
Re: [TLS] draft-ietf-tls-esni feedback Stephen Farrell
Re: [TLS] draft-ietf-tls-esni feedback Eric Rescorla
Re: [TLS] draft-ietf-tls-esni feedback Stephen Farrell
Re: [TLS] draft-ietf-tls-esni feedback Stephen Farrell
Re: [TLS] draft-ietf-tls-esni feedback Eric Rescorla
Re: [TLS] draft-ietf-tls-esni feedback Salz, Rich
Re: [TLS] draft-ietf-tls-esni feedback Rob Sayre
Re: [TLS] draft-ietf-tls-esni feedback Eric Rescorla
Re: [TLS] draft-ietf-tls-esni feedback Ben Schwartz
Re: [TLS] draft-ietf-tls-esni feedback Rob Sayre
Re: [TLS] draft-ietf-tls-esni feedback Christian Huitema
Re: [TLS] draft-ietf-tls-esni feedback Stephen Farrell
[TLS] ESNI padding Rob Sayre
Re: [TLS] draft-ietf-tls-esni feedback Stephen Farrell
Re: [TLS] draft-ietf-tls-esni feedback Rob Sayre
Re: [TLS] draft-ietf-tls-esni feedback Salz, Rich
Re: [TLS] draft-ietf-tls-esni feedback Rob Sayre
Re: [TLS] draft-ietf-tls-esni feedback Watson Ladd
Re: [TLS] draft-ietf-tls-esni feedback Bill Frantz
Re: [TLS] draft-ietf-tls-esni feedback Watson Ladd
Re: [TLS] draft-ietf-tls-esni feedback Ilari Liusvaara
Re: [TLS] draft-ietf-tls-esni feedback Ben Schwartz
Re: [TLS] draft-ietf-tls-esni feedback Ilari Liusvaara
Re: [TLS] draft-ietf-tls-esni feedback Ilari Liusvaara
Re: [TLS] draft-ietf-tls-esni feedback Ben Schwartz
Re: [TLS] draft-ietf-tls-esni feedback Rob Sayre
Re: [TLS] draft-ietf-tls-esni feedback Stephen Farrell
Re: [TLS] draft-ietf-tls-esni feedback Christopher Wood
Re: [TLS] draft-ietf-tls-esni feedback Stephen Farrell
Re: [TLS] draft-ietf-tls-esni feedback Ilari Liusvaara

Re: [TLS] draft-ietf-tls-esni feedback

Attachment: smime.p7s