Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ESNI -> ECHO #207

Merged
merged 28 commits into from
Mar 9, 2020
Merged

ESNI -> ECHO #207

merged 28 commits into from
Mar 9, 2020

Conversation

chris-wood
Copy link
Collaborator

@chris-wood chris-wood commented Mar 8, 2020
edited
Loading

This change implements the ESNI -> ECHO design discussed in Singapore. There a couple pending TODOs, particularly around cross-CH HRR binding, but the meat is what's currently being analyzed.

cc @davidben, @grittygrease, @martinthomson, @karthikbhargavan

ekr and others added 27 commits November 3, 2019 06:38
@ekr
Update introduction
1daf948
@ekr
Rewrite the specification pieces
5b76b9b
@ekr
Update the text on client side
8cead14
@ekr
Update the grease procedures
30ed56d
@ekr
First at a "tunnelling ClientHello" PR. The general pattern is that
3913dad 
the client creates a ClientHelloInner value with the true SNI,
encrypts that, and puts it into an extension in ClientHelloOuter,
which is what is actually sent to the server.

There are a number of open issues here:

- This design protects against the HRR splicing attack by having
  the transcript include ClientHelloInner.nonce, which relies
  on transcript secrecy. An alternative design would be to
  explicitly include it in the key schedule. However, this
  is a bit odd in split mode.

- You have to use trial decryption on the client to determine whether
  the ClientHelloInner or ClientHelloOuter was accepted, and the client
  doesn't even know when it gets HRR whether it applies to the inner or
  outer CH. Should we consider having an extension indicate
  this? Obviously that leaks some information, however the primary thing
  that it leaks is whether the server knew the ESNI key, which can be
  independently determined by sending a new CH with the relevant config.

This whole dual transcript thing is definitely a weak spot that would
need some extensive analysis.
@ekr
Remove nonce echoing
d999664
@ekr
External extension
6cc05b3
@ekr
external -> outer
9c3974b
@ekr
Remove text that no longer applies
44a7d7d
Merge branch 'master' of github.com:tlswg/draft-ietf-tls-esni into tu…
514f4ad 
…nnel_version
s/ESNI/ECHO and a quick pass.
cc171fd
Updates based on review.
6d76e9f
create->form.
68ca077
More updates based on review.
844dee3
Fix camel casing and some other things.
2fecaa7
Clarify that the inner and outer CHs are complete CHs.
eb360a1
Bind CH1 and CH2 across HRR, using an HPKE-derived secret.
e4e577c
Apply updates based on PR.
bdde716
Simplify (?) extension compression.
6dd1e7e
Try to simplify, again.
7ddeff5
@ekr
Update draft-ietf-tls-esni.md
6273d6f
@ekr
Update draft-ietf-tls-esni.md
a65808d
@ekr
Update draft-ietf-tls-esni.md
37ee8aa
@ekr
Update draft-ietf-tls-esni.md
5a87f75
@ekr
Update draft-ietf-tls-esni.md
b4eb7e9
@ekr
Editorial/todos
2c7bfc1
@ekr
Clarify
1f7ca54
@chris-wood chris-wood requested review from ekr and kazuho March 8, 2020 00:30
@chris-wood chris-wood mentioned this pull request Mar 8, 2020
Closed
This was referenced Mar 8, 2020
Closed
Closed
Closed
Closed
Remove legacy text regarding multiple "outer_extension" extensions.
42c6c48 
We replaced multiple "outer_extension" extensions with a single
"outer_extensions" extension.
ekr
ekr approved these changes Mar 9, 2020
View reviewed changes
Copy link
Collaborator

@ekr ekr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This still seems a bit rough, but I think better in the spec than out.

@chris-wood chris-wood merged commit 7d53f5b into tlswg:master Mar 9, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ekr ekr ekr approved these changes

@kazuho kazuho Awaiting requested review from kazuho

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@chris-wood @ekr