On Wed, 18 Jul 2018, 18:03 Kate Krauss, ailanthus@riseup.net wrote:

This is a helpful letter and domain fronting would probably benefit from more public advocacy. The letter did not get much media coverage. There will be lots of reporters at HOPE who may be interested and probably more than one organization that benefits from domain fronting.

Hi Kate!

I stand by my criticism as posted at:

https://twitter.com/AlecMuffett/status/1019468247823978496

…in short: that DF is an ugly hack that relies on "SNI" - a feature of SSL which in daily life is leveraged to enable, not bypass, filtering and censorship.

It may be artfully ironic with DF to leverage SNI "for good", but it would probably be wiser to learn to live without either/both, instead encouraging wider adoption of the controversial "TLS 1.3" standard along with the draft "encrypted SNI" feature.

This would be much more in keeping with the Tor ethos of "anonymity loves company".

That any Civil Society organisation is calling for the retention of SNI, is a bit perverse.

-a

Mistyped. That is all :)

Having an ELI5 is a totally fair request, and I'll do my best; I've had a couple of requests for this already so please pardon me if I take it from the top:

We use encryption to send messages privately from a web-browser (like firefox) to a web-server (like apache) which is running on a computer somewhere in the world; to get this privacy we lock the messages in an "envelope" of encryption, which means that nobody can read the messages unless they have the magic "keys" that are needed to open the envelope.

The problem is: many years ago someone worked out that it's a lot cheaper to have a bunch of web-servers (eg: apache) for websites, on a single computer, and when you have that situation there's a problem: which of the dozens of web-servers is the one which is meant to receive the encrypted message?

You can't reasonably give the same envelope to all of them and see if it works for one; that would be wasteful; so somebody came up with the idea of writing the name of the server (providing a Server Name Indication, or SNI) in cleartext on the front of the envelope.

SNI meant that if there were web servers for Alice.COM, and Bob.ORG on the same machine, then the envelope could be delivered to the machine's address (123 West Street, Boston) and handed directly to Alice or Bob by the machine, for them to decrypt.

Some clever people worked out that they could use this system to get a kind of privacy: if Alice actually *owns* the house, and if Bob is wanted by the police, then people who wanted to mail Bob could write "Alice.COM" in cleartext on the outside of the envelope, and they could encrypt the message *for* Alice, but when the message begins with "Dear Bob,..." then Alice would heave a sigh and hand the message over to Bob to be read. Alice would be acting as a "front" for Bob, and hence "Domain Fronting". The problem with this process is that it stresses Alice and gets stressy, it means that the police can say that Alice is complicit in crime, and also it's less efficient - Alice has to sort through HER mailbox and use HER keys on behalf of Bob. This is bad for Alice.

But also: taking a step back, there's the whole problem of writing names in cleartext on envelopes. Every person in the world who is not in an Alice/Bob kind of relationship, but who wants to use HTTPS, ends up doing the same write-in-cleartext thing to ALL their traffic.

This means that Victoria wants to write a message to PlannedParenthood.COM and has to write the PP.com SNI on the front of *her* envelopes, too; and Victoria's ISP (who is generically against abortion) can just trash those messages entirely ("website not reachable") or can attack them with some sort of man-in-the-middleware.

Ergo: nowadays some clever people at Mozilla, Apple, Cloudflare, etc, have worked out a way that the envelopes still get addressed in cleartext (123 West Street, Boston) but the SNI (Alice.COM, Bob.ORG, PP.COM) is encrypted.

Encrypted SNI means that ISPs cannot editorialise traffic to PP.COM, that Alice no longer has to "front" for Bob and suffer both complexity and moral complicity, and that overall the messages which are passed back and forth to/from all of the above are a LOT less fingerprintable. You might say, "almost anonymous", and that "anonymity loves company". :-)

However, as you'll guess, the security services of the world have been profiting from SNI and from other "features" of older forms of HTTPS, and the idea of losing all this bountiful metadata is painful to them; hence they are fighting tooth-and-nail against the new TLS1.3 - which is so-far largely unfingerprintable / close to anonymous / unmolested by spooks:

https://www.theregister.co.uk/2018/03/23/tls_1_3_approved_ietf/

...and they are looking for division which can be leveraged into "See, even the supposed 'Good Guys' want to keep SNI!".

So, in short: by pursuing Domain Fronting rather than burning it and pursuing Encrypted SNI, we risk advancing the arguments of spooks, and also retarding the adoption of protocols which will provide us all with greater, more secure, more end-to-end (not even Alice-having-to-front-for-...) communication

How does that work?

-a

On Thu, Jul 19, 2018 at 12:51 AM, Alec Muffett alec.muffett@gmail.com wrote:

So, in short: by pursuing Domain Fronting rather than burning it and pursuing Encrypted SNI, we risk advancing the arguments of spooks, and also retarding the adoption of protocols which will provide us all with greater, more secure, more end-to-end (not even Alice-having-to-front-for-...) communication

How does that work?

I think it's great that Alec brings up this important issue. But I am wondering:

* When will Encrypted SNI be widely available? My understanding is it will take at least months or years to widely deploy. * We have Domain Fronting now -- is it not reasonable to ask Google and Amazon to keep supporting it until they support ESNI? That's not the same thing as "supporting cleartext SNI forever." * Can't governments or ISPs simply block ESNI requests? Will browsers and CDNs then fall back to cleartext SNI? * While I can see why Google and Amazon might have legitimate business reasons not to permit Domain Fronting, it seems also legitimate to ask them to reconsider in order to support people subjected to censorship. Was legislation or other state coercion hinted at somewhere? In the senators' letter, it says "we respectfully urge you to reconsider."

Arthur

Just wanted to say that this thread has been very informative and super approachable for someone with a poor understanding of encryption. Really appreciate it!

best, -Richard

On 07/19/2018 10:34 AM, Alec Muffett wrote:

Great and fair questions.

On Thu, 19 Jul 2018 at 16:55, Arthur D. Edelstein <arthuredelstein@gmail.com mailto:arthuredelstein@gmail.com> wrote:

* When will Encrypted SNI be widely available? My understanding is it
will take at least months or years to widely deploy.

It will take ages. certainly a few years, to reach ubiquity.

Having lived through the "Hey, here's a great idea, let's put NULL ciphersuites in IPsec to aid Debugging!"-feint by the intelligence community which meant a bunch of people were/are "running VPNs" that were/are essentially cleartext, I am disinclined to approve of any measure, from any direction, which seeks to say "stay, just a little bit longer…" re: Plaintext SNI.

Much better instead to start loudly labelling them as "DEPRECATED, OLD AND BUSTED" right _now_, live with that in the interim, and ease a rapid transition away from the old-and-bustedness as soon as it sediments.

* We have Domain Fronting now -- is it not reasonable to ask Google
and Amazon to keep supporting it until they support ESNI? That's not
the same thing as "supporting cleartext SNI forever."

Their infrastructure is migrating away from old and busted, and there is a lot of sense in that migration - Domain Fronting actually has consequences for request security, trust and handling. I could try describing it here, but I would probably mess it up - a much better speaker on this topic is Ryan Sleevi.

* Can't governments or ISPs simply block ESNI requests? Will browsers
and CDNs then fall back to cleartext SNI?

Great questions; the first attempts at rolling out TLS1.3 (and subsequent embarrassing reversal) provide a guide to the all-or-nothing breakage:

https://searchsecurity.techtarget.com/news/450413934/Chrome-backs-out-of-TLS...

Short version: getting the pain over-with quickly and then pursuing a rapid transition, seems to be the best strategy; if we push for Google to retain PlainSNI and DF, and if we are successful, then we are leaving the field open to a Post-TLS1.3-Deployment "slippery-slope" argument against adopting Encrypted SNI.

Better, instead, to ram them through, together, in lockstep.

* While I can see why Google and Amazon might have legitimate business
reasons not to permit Domain Fronting, it seems also legitimate to ask
them to reconsider in order to support people subjected to censorship.

Ask all you like, but it's a bad idea; you're basically asking them to risk all their traffic on behalf of (for example) Tor.  Better, instead, to fix the shitty software, so they can say "We have Tor Relays running on our Infra? Well, they're just another customer, nothing we can do about it!" - rather than face accusations of having implemented DF and bending their own security models to support the democratic peccadilloes of the liberal west.

Was legislation or other state coercion hinted at somewhere? In the
senators' letter, it says "we respectfully urge you to reconsider."

I can't speak to that, but I have trusted sources who tell me that GCHQ was recently trawling the Financial Services companies (ie: investment banks and so forth) in the "City" of London (ie: financial district) looking for big names that they could parade at the recent IETF meeting in London, to try and add leverage to drilling some surveillance-friendly holes into the TLS specification.  They were looking for big names who would go on record to say "We require man-in-the-middle-capabilities in order to maintain legal compliance" - which is bullshit for any decently run organisation. To a first approximation, nobody came forwards to support their perspective.

If you want to read GCHQ's perspective on how stronger, better security in TLS1.3 makes things "harder for enterprise", read this blog post: https://www.ncsc.gov.uk/blog-post/tls-13-better-individuals-harder-enterpris...

Speaking as a former Enterprise Security Architect for Sun Microsystems, and having build systems for banks, I consider the blogpost to be an utter fabrication, unworthy of respect.

As such, I might perhaps be a little oversensitive, but I am deeply suspicious of any proposition from any quarter which essentially attempts to sediment old-and-busted TLS1.2 functionality.

- alec

-- http://dropsafe.crypticide.com/aboutalecm

---

tor-project mailing list tor-project@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-project

On Thu, 19 Jul 2018 at 18:54, Kate Krauss ailanthus@riseup.net wrote:

On 2018-07-19 3:51 am, Alec Muffett wrote:

Thank you! I'm extremely grateful to both Alec and Yawning for these thoughtful and clear explanations. So there can be no possible domain fronting under TSL 1.3?

Not quite.

DomainFronting essentially means that "SNI Says Alice, First Line Of Letter Says 'Dear Bob'".

You can do that in both TLS1.2 and 1.3, with Plaintext SNI or (in 1.3) with Encrypted SNI.

However:

a) doing it is a pain in the ass for the service provider, irrespective of what version TLS is in use, plus it has negative security consequences (see previous email from me)

b) if we make TLS1.3+EncryptedSNI into a ubiquitous offering, the need for DF becomes moot. It becomes pointless.

Is TSL 1.3 inevitable now that it's been

approved by IETF?

Kinda, but we need to watch carefully for people trying to drill holes in it, and/or for "adding friction" to anyone wanting to _leave_ TLS1.2

Such friction includes the Civil Society community screaming "Waaaaah! But losing DF harms Tor!"

Honest answer: "short term, yes; long term we can win hugely, and we piss off the NSA too!".

If so, does it make sense to push for domain fronting as a transitional strategy until we have a better plan?

Exactly. Clearly deprecate it, limp along with what DF we can get, and push hard to get TLS1.3+ESNI into the world's default webserver configs as soon as possible, and I think we'll be shooting the right direction.

His tech advisor

Chris Soghoian may support the letter.

I've seen Chris' work before, eg: in support of export control of security software ("Wassenaar") to stop the outflow of spyware from Western countries to at-risk countries like Ethiopia.

I won't argue with his sentiment, then as now, but I feel (if he's also behind this) that his approaches lack adequate consideration of bigger pictures and long-term goals.

So my final question--and this may just be contained in a link someone could just post, but better, ELI5 here (if appropriate)--is what might work, what is on the horizon, does it need more support, and if so, how can we support it?

We must boldly and clearly recognise DF as the ugly kludge that it is, and make sure the world knows that; I feel that Tor should (if resources can be found) get involved with the community of people and companies who are pursuing solid communications security at the HTTPS layer; in some senses they are only trying to emulate the goals which Tor has had for years (decades?) and there must be experience worth sharing.

-a

On Sat, 21 Jul 2018, 00:01 Peter Todd, pete@petertodd.org wrote:

So to be clear, with encrypted SNI you could get the same benefits of domain fronting by simply renting hosting where one IP is used for multiple different services, in exactly the same way that domain fronting is done today?

Yes. You could hide amongst the herd with zero magical bullshit being required, on the proviso that ESNI becomes approximately normal, first.

Hence the importance of getting behind it and pushing it as a standard part of eventual TLS1.3 migrations, rather than have it arrive AFTER the initial major 1.3 migrations and thereby requiring further effort to make it normal.

Otherwise it's like someone bringing out the ketchup after you have already finished eating your hot dog.

-a