Re: [TLS] Encrypting record headers: practical for TLS 1.3 after all?

"Salz, Rich" <> Wed, 02 December 2015 18:00 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 0BFDA1ACCF5 for <>; Wed, 2 Dec 2015 10:00:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.711
X-Spam-Status: No, score=-2.711 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id W1BbVIPE-wRR for <>; Wed, 2 Dec 2015 10:00:28 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 9BBA51A8977 for <>; Wed, 2 Dec 2015 10:00:28 -0800 (PST)
Received: from (localhost.localdomain []) by postfix.imss70 (Postfix) with ESMTP id 2A24D16C091; Wed, 2 Dec 2015 18:00:28 +0000 (GMT)
Received: from ( []) by (Postfix) with ESMTP id 140BC16BFA3; Wed, 2 Dec 2015 18:00:28 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=a1; t=1449079228; bh=POOZAD+SDHqxSISp67G11m+csjGIsZWy/0gf6HYPtiU=; l=1001; h=From:To:CC:Date:References:In-Reply-To:From; b=v7+G2giYiBsHhVwj1JEEK5aP+xgKgp/gmw/dUqt2x5xVNtn1EVyBFWiHY6d5uKUIa 4pp4Y1zPgkJcUJI0UiaopW0Ug/JET3sbxZdndz9XrvdPS/FHg37vIKO/nBwF6hMyfm Qgw98T7BW99JumZ8Qc1LLYjO0ciSQaNUSPJeKBnE=
Received: from ( []) by (Postfix) with ESMTP id EF3381E080; Wed, 2 Dec 2015 18:00:27 +0000 (GMT)
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1076.9; Wed, 2 Dec 2015 13:00:27 -0500
Received: from ([]) by ([]) with mapi id 15.00.1076.000; Wed, 2 Dec 2015 13:00:27 -0500
From: "Salz, Rich" <>
To: Jacob Appelbaum <>, "" <>
Thread-Topic: [TLS] Encrypting record headers: practical for TLS 1.3 after all?
Date: Wed, 02 Dec 2015 18:00:26 +0000
Message-ID: <>
References: <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <>
Cc: "" <>
Subject: Re: [TLS] Encrypting record headers: practical for TLS 1.3 after all?
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 02 Dec 2015 18:00:31 -0000

> I think that is false. One could easily use the "cleartext" SNI field and insert an encrypted value. A hash of the name would be a simple example but not a secure example, of course.

Encrypted SNI doesn't give you the kind of protection you think that it does.  We (me and a colleague) did a pretty thorough analysis that showed this.  It was not a conclusion we expected, or wanted, to reach.   It was presented at the TLS Interim before the IETF in Toronto.  Slides should be online.  (For example, the adversary will know the IP address or might not care about false positives, etc.)

In spite of this, another colleague (Brian Sniffen) came up with a way to do it at the tail end of the Seattle interim.  Encrypt the "true" SNI in the semi-static DH key of a "fronting" site.  And then the front decrypts the true SNI and forwards to the obscured site. Ekr and dkg presented it in Yokohama, but not very well. :)  They're presumably working on something better.