Daniel Kahn Gillmor <d...@fifthhorseman.net> writes:
> On Wed 2017-05-10 12:12:34 -0700, Christian Huitema wrote:
>> It certainly was. But then the clear text SNI is a gaping privacy hole
>> in TLS, the kind of issue that should keep us awake at night until it is
>> resolved. We need to make sure that we make progress, rather than rehash
>> the old arguments. Maybe we should invest some time and document the
>> various proposals in a draft. I am willing to work on that. Any other
>> volunteers?
>
> I agree with Christian's assessment of the problem, and i'd be
> interested in collaborating on such a draft.
Who's the audience for that draft? If it's meant to document the blind
alleys we've found, perhaps we could list both alleys, and the walls at
the end:
- hash the name [adversaries can hash too]
- hash the name with a salt [adversaries can check the salted hash
too, as if operating all the banned sites]
- encrypt the SNI under the pre-shared key
But beware of:
- the adversary can replay this SNI and see what site he gets
- DDoS risk: servers can't be try lots of crypto (no asymmetric ops,
no operations that scale linearly with number of sites hosted)
- not everybody's going to do this, not even every TLS 1.3 instance
- if networks can't track activity, some will push users to stay on
TLS 1.2.
-Brian
--
Brian Sniffen
Akamai Technologies
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
