Re: [TLS] About encrypting SNI

Watson Ladd <watsonbladd@gmail.com> Tue, 15 April 2014 15:01 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 295761A02CB for <tls@ietfa.amsl.com>; Tue, 15 Apr 2014 08:01:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iRgzj_Pq_KPE for <tls@ietfa.amsl.com>; Tue, 15 Apr 2014 08:01:17 -0700 (PDT)
Received: from mail-yh0-x22f.google.com (mail-yh0-x22f.google.com [IPv6:2607:f8b0:4002:c01::22f]) by ietfa.amsl.com (Postfix) with ESMTP id 9120F1A0186 for <tls@ietf.org>; Tue, 15 Apr 2014 08:01:17 -0700 (PDT)
Received: by mail-yh0-f47.google.com with SMTP id 29so9395980yhl.6 for <tls@ietf.org>; Tue, 15 Apr 2014 08:01:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=7m2wG9nf1NYyTlBhRDSGuJWXlRAl9AAWkYqDrciVjtQ=; b=MsjicvyUS5Oe7nQTu0eCXbKIkgqzlAXVI+B9iM7N2Qq8ys/Z8z9dunA40LYsGWsvVe AiOkzXbkGuR4gEn7U/Gx+1M8koGJAp0lpTlYk5g7rOO98fD4hRhzNTm6sZVqOZgEECKT p2qFcu3fmwz9QjEH4LJq3AKo5ATRtXxjPu0FktG14HOdcPFTRinvUtOwb8ZLI3kHVmQ8 /8DDW+2vb8rk9Hz6in2uHxzTvFTAKneSIyWUckNZ5kkUjN9MMXs1me9IQHfbGcxe/9ox /IcR1TeIGyTnUJXXmfKli1MS8TxzcHyTjQy2vl1+BYcj+85Xvc3dr4mcelVY7u8zCBII NVKw==
MIME-Version: 1.0
X-Received: by 10.236.120.66 with SMTP id o42mr3411931yhh.66.1397574074625; Tue, 15 Apr 2014 08:01:14 -0700 (PDT)
Received: by 10.170.63.197 with HTTP; Tue, 15 Apr 2014 08:01:14 -0700 (PDT)
In-Reply-To: <2A0EFB9C05D0164E98F19BB0AF3708C7120B4902B5@USMBX1.msg.corp.akamai.com>
References: <2A0EFB9C05D0164E98F19BB0AF3708C7120A04ED40@USMBX1.msg.corp.akamai.com> <534C3D5A.3020406@fifthhorseman.net> <474FAE5F-DE7D-4140-931E-409325168487@akamai.com> <D2CB0B72-A548-414C-A926-A9AA45B962DA@gmail.com> <2A0EFB9C05D0164E98F19BB0AF3708C7120B490162@USMBX1.msg.corp.akamai.com> <CACsn0cmusUc3Rsb2Wof+dn0PEg3P0bPC3ZdJ75b9kkZ5LDGu_A@mail.gmail.com> <2A0EFB9C05D0164E98F19BB0AF3708C7120B490291@USMBX1.msg.corp.akamai.com> <A4745833-76B0-45C3-B926-B240602F2289@gmail.com> <2A0EFB9C05D0164E98F19BB0AF3708C7120B4902B5@USMBX1.msg.corp.akamai.com>
Date: Tue, 15 Apr 2014 08:01:14 -0700
Message-ID: <CACsn0cnXZ4Cy7jh_qGtNwwLW6b0V3t_9JNm6qFFLUKDHQdUcBQ@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: "Salz, Rich" <rsalz@akamai.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/zvHN3C2QeufDHGBFOcKHptU-spw
Cc: "TLS@ietf.org (tls@ietf.org)" <tls@ietf.org>
Subject: Re: [TLS] About encrypting SNI
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Apr 2014 15:01:23 -0000

On Tue, Apr 15, 2014 at 6:56 AM, Salz, Rich <rsalz@akamai.com> wrote:
>> So if you're hosting like tumblr, you can do yoavnir.tumblr.com and richsalz.tumblr.com and have a *.tumblr.com certificate.
>
> Yes, I know.  It would mean that aaa.privacy.org and kkk.privacy.org would be under the same DNS name.  You could mitigate that by having a CNAME entry.
>
> My question is about the security, not the discoverability (or vanity, if you will).

Figure out how the browser knows to not send SNI (are we going to do
this for everything? probably not) and I think we've solved the
problem. DNS entries may or may not work: I need to think about it
more.

Sincerely,
Watson Ladd
>
>         /r$
>
> --
> Principal Security Engineer
> Akamai Technology
> Cambridge, MA
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls



-- 
"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin