Just wanted to say that this thread has been very informative and super approachable for someone with a poor understanding of encryption. Really appreciate it!
best, -Richard
On 07/19/2018 10:34 AM, Alec Muffett wrote:
Great and fair questions.
On Thu, 19 Jul 2018 at 16:55, Arthur D. Edelstein <arthuredelstein@gmail.com mailto:arthuredelstein@gmail.com> wrote:
* When will Encrypted SNI be widely available? My understanding is it will take at least months or years to widely deploy.
It will take ages. certainly a few years, to reach ubiquity.
Having lived through the "Hey, here's a great idea, let's put NULL ciphersuites in IPsec to aid Debugging!"-feint by the intelligence community which meant a bunch of people were/are "running VPNs" that were/are essentially cleartext, I am disinclined to approve of any measure, from any direction, which seeks to say "stay, just a little bit longer…" re: Plaintext SNI.
Much better instead to start loudly labelling them as "DEPRECATED, OLD AND BUSTED" right _now_, live with that in the interim, and ease a rapid transition away from the old-and-bustedness as soon as it sediments.
* We have Domain Fronting now -- is it not reasonable to ask Google and Amazon to keep supporting it until they support ESNI? That's not the same thing as "supporting cleartext SNI forever."
Their infrastructure is migrating away from old and busted, and there is a lot of sense in that migration - Domain Fronting actually has consequences for request security, trust and handling. I could try describing it here, but I would probably mess it up - a much better speaker on this topic is Ryan Sleevi.
* Can't governments or ISPs simply block ESNI requests? Will browsers and CDNs then fall back to cleartext SNI?
Great questions; the first attempts at rolling out TLS1.3 (and subsequent embarrassing reversal) provide a guide to the all-or-nothing breakage:
https://searchsecurity.techtarget.com/news/450413934/Chrome-backs-out-of-TLS...
Short version: getting the pain over-with quickly and then pursuing a rapid transition, seems to be the best strategy; if we push for Google to retain PlainSNI and DF, and if we are successful, then we are leaving the field open to a Post-TLS1.3-Deployment "slippery-slope" argument against adopting Encrypted SNI.
Better, instead, to ram them through, together, in lockstep.
* While I can see why Google and Amazon might have legitimate business reasons not to permit Domain Fronting, it seems also legitimate to ask them to reconsider in order to support people subjected to censorship.
Ask all you like, but it's a bad idea; you're basically asking them to risk all their traffic on behalf of (for example) Tor. Better, instead, to fix the shitty software, so they can say "We have Tor Relays running on our Infra? Well, they're just another customer, nothing we can do about it!" - rather than face accusations of having implemented DF and bending their own security models to support the democratic peccadilloes of the liberal west.
Was legislation or other state coercion hinted at somewhere? In the senators' letter, it says "we respectfully urge you to reconsider."
I can't speak to that, but I have trusted sources who tell me that GCHQ was recently trawling the Financial Services companies (ie: investment banks and so forth) in the "City" of London (ie: financial district) looking for big names that they could parade at the recent IETF meeting in London, to try and add leverage to drilling some surveillance-friendly holes into the TLS specification. They were looking for big names who would go on record to say "We require man-in-the-middle-capabilities in order to maintain legal compliance" - which is bullshit for any decently run organisation. To a first approximation, nobody came forwards to support their perspective.
If you want to read GCHQ's perspective on how stronger, better security in TLS1.3 makes things "harder for enterprise", read this blog post: https://www.ncsc.gov.uk/blog-post/tls-13-better-individuals-harder-enterpris...
Speaking as a former Enterprise Security Architect for Sun Microsystems, and having build systems for banks, I consider the blogpost to be an utter fabrication, unworthy of respect.
As such, I might perhaps be a little oversensitive, but I am deeply suspicious of any proposition from any quarter which essentially attempts to sediment old-and-busted TLS1.2 functionality.
- alec
-- http://dropsafe.crypticide.com/aboutalecm
tor-project mailing list tor-project@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-project