On Monday, 15 May 2017 22:10:00 CEST Dave Garrett wrote: > On Monday, May 15, 2017 07:56:44 am Hubert Kario wrote: > > On Saturday, 13 May 2017 07:21:06 CEST Dave Garrett wrote: > > > On Friday, May 12, 2017 11:17:45 pm Christian Huitema wrote: > > > > EKR did propose a TLS in TLS tunnel back in December 2015: > > > > https://mailarchive.ietf.org/arch/msg/tls/tXvdcqnogZgqmdfCugrV8M90Ftw. > > > > It would effectively encrypt the "inner" Client Hello. > > > > > > Same basic concept, different implementation. TLS tunneling would > > > provide > > > some backwards compatibility; ClientHellos would still look like > > > ClientHellos. I was just suggesting the simple generic route of > > > encrypting > > > everything in a non-backwards-compatible way (sent to a specified port > > > that > > > is set up to only handle that and reject everything else). I'd rather > > > let > > > stupid/incompatible stuff just break if we're designing a new opt-in > > > system. > > > > > > The argument I'm making here isn't about implementation; it's about what > > > to > > > think about implementing to deal with the issues here. > > > > I respectfully disagree. That system requires tight coupling between the > > TLS implementation and DNS. This is not something that facilitates TLS > > deployment. We want more TLS/HTTPS deployment, not less. > > I completely understand why you'd disagree on these grounds. My argument is > that whilst this does require a significant amount of coordination, it's a > more productive route than just focusing on SNI encryption, which still has > its own share of problems. (hence us not agreeing on a way to do it yet)
Is there anything else sensitive in the Client Hello? Either way, to properly encrypt SNI with forward secrecy requires the same system that would be necessary to encrypt the whole Client Hello. > The most practical short-term route would likely be to continue to hold our > noses and expect cleartext SNI, but maybe provide a very simple way for > servers to put a flag in a DNS record to opt-out entirely when they can do > without. The point of encrypting SNI is so that you can hide a website on a shared hosting host. If you have just one website on a host, there's nothing to hide... Opting out by servers also makes the interesting targets more visible (see also: email encryption). -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
