-
Notifications
You must be signed in to change notification settings - Fork 56
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ESNI -> ECHO #207
Merged
Merged
ESNI -> ECHO #207
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
the client creates a ClientHelloInner value with the true SNI, encrypts that, and puts it into an extension in ClientHelloOuter, which is what is actually sent to the server. There are a number of open issues here: - This design protects against the HRR splicing attack by having the transcript include ClientHelloInner.nonce, which relies on transcript secrecy. An alternative design would be to explicitly include it in the key schedule. However, this is a bit odd in split mode. - You have to use trial decryption on the client to determine whether the ClientHelloInner or ClientHelloOuter was accepted, and the client doesn't even know when it gets HRR whether it applies to the inner or outer CH. Should we consider having an extension indicate this? Obviously that leaks some information, however the primary thing that it leaks is whether the server knew the ESNI key, which can be independently determined by sending a new CH with the relevant config. This whole dual transcript thing is definitely a weak spot that would need some extensive analysis.
Closed
This was referenced Mar 8, 2020
Closed
We replaced multiple "outer_extension" extensions with a single "outer_extensions" extension.
ekr
approved these changes
Mar 9, 2020
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This still seems a bit rough, but I think better in the spec than out.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This change implements the ESNI -> ECHO design discussed in Singapore. There a couple pending TODOs, particularly around cross-CH HRR binding, but the meat is what's currently being analyzed.
cc @davidben, @grittygrease, @martinthomson, @karthikbhargavan